创建 Fargate 配置文件失败

Question

当尝试使用 amazon eks 创建 Fargate 配置文件时（使用命令 eksctl create cluster --name myclustername --version 1.14 --fargate），我得到了

[✔]  all EKS cluster resources for "myclustername" have been created
[✔]  saved kubeconfig as "/home/connor/.kube/config"
[ℹ]  creating Fargate profile "fp-default" on EKS cluster "myclustername"
Error: failed to create Fargate profile "fp-default" on EKS cluster "myclustername": failed     to create Fargate profile "fp-default": AccessDeniedException: Account 339969016160 is not authorized to use this service
status code: 403, request id: 1db7cf38-002e-48b8-8fa6-8a7b7eab324d

关于我需要添加什么权限来解决这个问题有什么想法吗？我更喜欢尽可能通过 cli 进行所有管理

Answer 1

错误是可怕的，因为它表明这是一个权限问题，而真正的问题是截至 2020 年 1 月 12 日，只有四个区域支持使用 EKS（kubernetes）的 Fargate：

Region Name             Region
US East (Ohio)          us-east-2
US East (N. Virginia)   us-east-1
Asia Pacific (Tokyo)    ap-northeast-1
EU (Ireland)            eu-west-1

见：https://docs.aws.amazon.com/eks/latest/userguide/fargate.html

虽然在您的注释中不明显，但我怀疑您正在尝试使用不在上述列表中的区域。

请注意，只要不与 EKS 结合使用，fargate 就可以在更多地区使用。

Answer 2

调试此问题的最佳方法可能是在集群的 Cloudformation 事件日志中查找负责的错误。它应该告诉您问题的原因，以及是否是区域超载或 id 它是权限/IAM 相关问题。

您还可以在 eksctl 命令中添加--verbose 5 以在控制台中查看更好的输出。

如果是权限相关而非区域容量错误，请确保您使用的 AWS 用户/配置文件至少具有以下权限：

# Cloud Formation
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "eksCtlCloudFormation",
            "Effect": "Allow",
            "Action": "cloudformation:*",
            "Resource": "*"
        }
    ]
}


# EKS
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eks:*"
            ],
            "Resource": "*"
        }
    ]
}

#Autoscaling
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "autoscaling:CreateLaunchConfiguration",
                "autoscaling:DeleteLaunchConfiguration"
            ],
            "Resource": "arn:aws:autoscaling:*:*:launchConfiguration:*:launchConfigurationName/*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "autoscaling:UpdateAutoScalingGroup",
                "autoscaling:DeleteAutoScalingGroup",
                "autoscaling:CreateAutoScalingGroup"
            ],
            "Resource": "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLaunchConfigurations"
            ],
            "Resource": "*"
        }
    ]
}

#IAM
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:CreateInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:GetRole",
                "iam:GetInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy",
                "iam:ListInstanceProfiles",
                "iam:AddRoleToInstanceProfile",
                "iam:ListInstanceProfilesForRole",
                "iam:PassRole",
                "iam:DetachRolePolicy",
                "iam:DeleteRolePolicy",
                "iam:GetRolePolicy"
            ],
            "Resource": [
                "arn:aws:iam::<AWS Acct Id>:instance-profile/eksctl-*",
                "arn:aws:iam::<AWS Acct Id>:role/eksctl-*"
            ]
        }
    ]
}

#Networking
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EksInternetGateway",
            "Effect": "Allow",
            "Action": "ec2:DeleteInternetGateway",
            "Resource": "arn:aws:ec2:*:*:internet-gateway/*"
        },
        {
            "Sid": "EksNetworking",
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:DeleteSubnet",
                "ec2:DeleteTags",
                "ec2:CreateNatGateway",
                "ec2:CreateVpc",
                "ec2:AttachInternetGateway",
                "ec2:DescribeVpcAttribute",
                "ec2:DeleteRouteTable",
                "ec2:AssociateRouteTable",
                "ec2:DescribeInternetGateways",
                "ec2:CreateRoute",
                "ec2:CreateInternetGateway",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:CreateSecurityGroup",
                "ec2:ModifyVpcAttribute",
                "ec2:DeleteInternetGateway",
                "ec2:DescribeRouteTables",
                "ec2:ReleaseAddress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:DescribeTags",
                "ec2:CreateTags",
                "ec2:DeleteRoute",
                "ec2:CreateRouteTable",
                "ec2:DetachInternetGateway",
                "ec2:DescribeNatGateways",
                "ec2:DisassociateRouteTable",
                "ec2:AllocateAddress",
                "ec2:DescribeSecurityGroups",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteNatGateway",
                "ec2:DeleteVpc",
                "ec2:CreateSubnet",
                "ec2:DescribeSubnets"
            ],
            "Resource": "*"
        }
    ]
}