Kubernetes with kops in AWS – how to attach IAM policies to the IAM role used to create services


Learning to K8 with Kops within AWS (I'm ok in the AWS zone I think), I'm working through setting up a simple service described in this medium article:
After deploying the service I get an IAM permissions error (redacted account number & domain name):

 Warning  SyncLoadBalancerFailed  19m                  service-controller  Error syncing load balancer: failed to ensure load balancer: Error creating load balancer: "AccessDenied: User: arn:aws:sts::${AWS::Account}:assumed-role/masters.myfirstcluster.kops.${domain_name}/i-08a3ce916f7e03e55 is not authorized to perform: iam:CreateServiceLinkedRole on resource: arn:aws:iam::${AWS::Account}:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing\n\tstatus code: 403, request id: c1a0598a-cd23-4e2a-9fd6-58904cbe76d5"

The AWS IAM Role, which is created by the kops binary masters.myfirstcluster.kops., which has been assumed by i-08a3ce916f7e03e55, and indeed it does not have a policy which would allow the API request. The role is created by the kops binary upon intstall.

Is there a kops API method to set the required policy to the role, or it is necessary to do this via AWS API?

Best Answer

Answering own question:

It was necesssary to change the policy attached to the master role (see IAM Roles), adding the following section to the spec: key, kops edit cluster myfirstcluster.kops.${domain_name}:

    master: |
          "Effect": "Allow",
          "Action": [ "iam:CreateServiceLinkedRole"],
          "Resource": ["*"]
Related Topic