[aws-eks] Fail to create FargateProfile - Missing permissions for `ec2:DescribeSubnets`

[pahud]

We just annouced the Fargate support for Amazon EKS in 4 additional regions and I was trying to deploy a simple EKS+Fargate cluster to them ended up missiong permissions failure in eu-central-1, ap-southeast-1 and ap-southeast-2.

Reproduction Steps

import * as cdk from '@aws-cdk/core';
import * as eks from '@aws-cdk/aws-eks';
import * as ec2 from '@aws-cdk/aws-ec2';
import * as iam from '@aws-cdk/aws-iam';

export class EksfgStack extends cdk.Stack {
  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const vpc = new ec2.Vpc(this, 'Vpc', {
        maxAzs: 3,
        natGateways: 1
      });

    const mastersRole = new iam.Role(this, 'AdminRole', {
      assumedBy: new iam.AccountRootPrincipal()
    });

    const cluster = new eks.Cluster(this, 'Cluster', {
      vpc,
      mastersRole
    });

    cluster.addFargateProfile('FargateProfile', {
      selectors: [
        { namespace: 'default' },
        { namespace: 'kube-system' },
      ]
    })

    new cdk.CfnOutput(this, 'Region', { value: this.region })

  }
}

Error Log

Cluster/fargate-profile-FargateProfile/Resource/Default (ClusterfargateprofileFargateProfileA6BADBA5) Failed to create resource. Error: Missing permissions for `ec2:DescribeSubnets` action

Environment

• CLI Version : 1.35.0
• Framework Version: 1.35.0
• OS : Mac OS X
• Language : Typescript

Other

---

This is 🐛 Bug Report

[river0825]

+1
I have the same issue too

Reproduction Steps

import * as cdk from '@aws-cdk/core';
import * as ec2 from '@aws-cdk/aws-ec2';
import * as eks from '@aws-cdk/aws-eks';


export class CdkPracticeStack extends cdk.Stack {
  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);
    
    
    const vpc = new ec2.Vpc(this, 'TheVPC', {
      cidr: "10.0.0.0/16"
    })
    
    
    const cluster = new eks.FargateCluster(this, 'hello-eks', {
      clusterName: "cdk-practice",
      vpc: vpc
      // defaultCapacityInstance: new ec2.InstanceType("t3.micro")
    });
    
    cluster.addResource('mypod', {
      apiVersion: 'v1',
      kind: 'Pod',
      metadata: { name: 'mypod' },
      spec: {
        containers: [
          {
            name: 'hello',
            image: 'paulbouwer/hello-kubernetes:1.5',
            ports: [ { containerPort: 8080 } ]
          }
        ]
      }
    });
    // The code that defines your stack goes here
  }
}

Environment

• Cloud 9
• CLI Version : 1.35.0
• Framework Version: 1.35.0
• Language: Typescript
• Region: ap-southeast-1

Error

[pahud]

this is weird I can successfully deploy it in us-west-2 but all failed in the other 3 regions.

[eduardomourar]

I can confirm the same behavior while creating the fargate profile in region eu-central-1. A workaround for that is to add ec2:* policy to the cluster creation role:

    const cluster = new eks.Cluster(this, 'Cluster', {
      vpc,
      mastersRole
    })

    const clusterResource = cluster.node.defaultChild as cdk.CfnResource
    const clusterCreationRole = clusterResource.node.tryFindChild('CreationRole') as iam.Role
    clusterCreationRole.addToPolicy(new iam.PolicyStatement({
      actions: [ 'ec2:*' ],
      resources: [ '*' ],
    }))

[pahud]

@eduardomourar thanks for the feedback. As Fargate profile would only associate with private subnets, if no subnetSelection property provided for the FargateProfile resource, the creation role will try to figure out the private subnet IDs hense require extra permissions such as ec2:DescribeSubnets and it looks like it would require more than that. In this case, if we create the EKS cluster with a provided VPC which has no private subnets and we don't specify subnets for the Cluster resource, the cluster will still be created with no error with all public subnets associated with it, but the Fargate Profile, on the other hand, will not be able to be created as all subnets associated with this cluster are pubilc only.

PR underway.

[pahud]

After checking the cloudtrail logs, the creation role will also need ec2:DescribeRouteTables to determine if there's any private subnets.

[pahud]

Now the question is, how can we determine if there are private subnets associated with this cluster? If we can check this, we can throw errors and avoid this error:

Wondering if we can do this way

const privateSubnets = cluster.vpc.selectSubnets({ subnetType: ec2.SubnetType.PRIVATE }).subnetIds
if (!privateSubnets || privateSubnets.length === 0) {
      throw new Error('Fargate profile requires at least one private subnet but no private subnets found from the subnetSelection')
}

@eladb any comments?

[eladb]

Can we just add those permissions always?

[pahud]

Can we just add those permissions always?

Yes, looks like adding the additional ec2:DescribeRouteTables will fix this issue. I am testing manually in different regions. Will create a PR for it today.