AWS EKS: User cannot create resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope

alee68dmv · August 27, 2023, 7:37pm

Hi, I cannot get by this error, it prevents me from creating a Cluster Role Binding while I try to provision a new EKS cluster and associated resources. Here are details of my workflow:

Two AWS accounts, DEV and STAGING
Within the STAGING account, I have an IAM role Anonymous, which can assume Admin roles in both accounts; this this IAM role should have full access to everything
I am trying to create the new EKS cluster and its resources in the DEV account
I am using the Atlantis tool. Atlantis uses the IAM role Anonymous to run Plan and Apply

Essentially, I get an error saying the Service Account Anonymous does not have the proper permissions to create the clusterrolebindings resource. I’m not sure why; am I confusing the Anonymous SA and the Anonymous IAM role?

Here is the error:

│ Error: clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:default:Anonymous" cannot create resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope
│ 
│   with module.eks-cluster.kubernetes_cluster_role_binding.cluster_rb,
│   on file.tf line xxx, in resource "kubernetes_cluster_role_binding" "cluster-role-binding":
│  xxx: resource "kubernetes_cluster_role_binding" "cluster-role-binding" {

Here is my Terraform. This is to create a read-only role that others can access (the view-only cluster role does exist):

resource "kubernetes_cluster_role_binding" "cluster_read-only" {
  metadata {
    name      = "cluster-role-binding"
  }

  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = "view-only"
  }

  subject {
    kind      = "Group"
    name      = "read-only"
    api_group = "rbac.authorization.k8s.io"
  }
}

I try to assign the proper permissions to the Anonymous SA with the code shown below but it doesn’t work. If anyone has suggestions, please let me know.

resource "kubernetes_cluster_role_binding" "cluster_admin_access" {
  metadata {
    name      = "cluster-role-binding-admin"
  }

  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = "cluster-admin"
  }

 subject {
   kind      = "ServiceAccount"
   name      = "Anonymous"
   namespace = "default"
 }
  subject {
    kind      = "Group"
    name      = "system:masters"
    api_group = "rbac.authorization.k8s.io"
  }
}

Topic		Replies	Views
Resource "kubernetes_service_account" cannot be made depend_on resource "aws_eks_cluster" cannot AWS	0	432	November 29, 2022
Amazon EKS: Unauthorized AWS k8s	2	8385	November 19, 2020
Limiting scope for cluster permissions Azure k8s	0	303	July 14, 2022
How to set access control using terraform-aws-eks AWS	0	28	October 28, 2024
Terraform reports an error when trying to add IAM role to aws_rds_cluster resource AWS	1	211	August 26, 2024

AWS EKS: User cannot create resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope

Related topics