无法创建fargate配置文件

Question

当尝试使用amazon eks创建fargate配置文件时(使用命令eksctl create cluster --name myclustername --version1.14 --fargate)，我得到

[✔]  all EKS cluster resources for "myclustername" have been created
[✔]  saved kubeconfig as "/home/connor/.kube/config"
[ℹ]  creating Fargate profile "fp-default" on EKS cluster "myclustername"
Error: failed to create Fargate profile "fp-default" on EKS cluster "myclustername": failed     to create Fargate profile "fp-default": AccessDeniedException: Account 339969016160 is not authorized to use this service
status code: 403, request id: 1db7cf38-002e-48b8-8fa6-8a7b7eab324d

你知道我需要添加什么权限来解决这个问题吗？只要有可能，我更喜欢通过cli执行所有管理工作。

Answer 1

错误是可怕的，因为它表明这是一个权限问题，而真正的问题是，截至2020年1月12日，fargate with EKS (kubernetes)仅在四个地区支持：

Region Name             Region
US East (Ohio)          us-east-2
US East (N. Virginia)   us-east-1
Asia Pacific (Tokyo)    ap-northeast-1
EU (Ireland)            eu-west-1

请参阅：https://docs.aws.amazon.com/eks/latest/userguide/fargate.html

虽然在您的笔记中不明显，但我怀疑您正在尝试使用上面列表中未列出的区域。

请注意，只要不与EKS结合使用，fargate就可以在更多的区域中使用。

Answer 2

调试的最好方法可能是在集群的Cloudformation事件日志中查找负责的错误。它应该会告诉您问题的原因，无论是区域过载还是id，都是权限/IAM相关的问题。

您还可以将--verbose 5添加到eksctl命令中，以在控制台中查看更好的输出。

如果与权限相关，而不是区域容量错误，请确保您使用的AWS用户/配置文件至少具有以下权限：

# Cloud Formation
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "eksCtlCloudFormation",
            "Effect": "Allow",
            "Action": "cloudformation:*",
            "Resource": "*"
        }
    ]
}


# EKS
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eks:*"
            ],
            "Resource": "*"
        }
    ]
}

#Autoscaling
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "autoscaling:CreateLaunchConfiguration",
                "autoscaling:DeleteLaunchConfiguration"
            ],
            "Resource": "arn:aws:autoscaling:*:*:launchConfiguration:*:launchConfigurationName/*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "autoscaling:UpdateAutoScalingGroup",
                "autoscaling:DeleteAutoScalingGroup",
                "autoscaling:CreateAutoScalingGroup"
            ],
            "Resource": "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLaunchConfigurations"
            ],
            "Resource": "*"
        }
    ]
}

#IAM
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:CreateInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:GetRole",
                "iam:GetInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy",
                "iam:ListInstanceProfiles",
                "iam:AddRoleToInstanceProfile",
                "iam:ListInstanceProfilesForRole",
                "iam:PassRole",
                "iam:DetachRolePolicy",
                "iam:DeleteRolePolicy",
                "iam:GetRolePolicy"
            ],
            "Resource": [
                "arn:aws:iam::<AWS Acct Id>:instance-profile/eksctl-*",
                "arn:aws:iam::<AWS Acct Id>:role/eksctl-*"
            ]
        }
    ]
}

#Networking
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EksInternetGateway",
            "Effect": "Allow",
            "Action": "ec2:DeleteInternetGateway",
            "Resource": "arn:aws:ec2:*:*:internet-gateway/*"
        },
        {
            "Sid": "EksNetworking",
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:DeleteSubnet",
                "ec2:DeleteTags",
                "ec2:CreateNatGateway",
                "ec2:CreateVpc",
                "ec2:AttachInternetGateway",
                "ec2:DescribeVpcAttribute",
                "ec2:DeleteRouteTable",
                "ec2:AssociateRouteTable",
                "ec2:DescribeInternetGateways",
                "ec2:CreateRoute",
                "ec2:CreateInternetGateway",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:CreateSecurityGroup",
                "ec2:ModifyVpcAttribute",
                "ec2:DeleteInternetGateway",
                "ec2:DescribeRouteTables",
                "ec2:ReleaseAddress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:DescribeTags",
                "ec2:CreateTags",
                "ec2:DeleteRoute",
                "ec2:CreateRouteTable",
                "ec2:DetachInternetGateway",
                "ec2:DescribeNatGateways",
                "ec2:DisassociateRouteTable",
                "ec2:AllocateAddress",
                "ec2:DescribeSecurityGroups",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteNatGateway",
                "ec2:DeleteVpc",
                "ec2:CreateSubnet",
                "ec2:DescribeSubnets"
            ],
            "Resource": "*"
        }
    ]
}