How to Solve Kubernetes EBS CSI Driver UnauthorizedOperation Error?

adil
2 min readAug 1, 2023

If your Kubernetes EC2 nodes lack the necessary IAM roles, they will be unable to create or remove EBS volumes.

***** You can follow me on LinkedIn *****

Photo by Arun Prakash on Unsplash

You may have seen this error in your logs:

ebs.csi.aws.com_ebs-csi-controller-5b769c467d-pk4pz_353ab676-bef1-4762-a1e6-4bf681481bde  
failed to provision volume with StorageClass "ebs-storageclass": rpc error: code = Internal desc = Could not create volume "pvc-86762d01-e618-4b2c-8dcf-7508955d870b":
could not create volume in EC2: UnauthorizedOperation: You are not authorized to perform this operation.
Encoded authorization failure message: ...

You should create a new policy on IAM:

{
"Version": "2012-10-17",
"Statement": [{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:CreateVolume",
"ec2:DeleteVolume",
"ec2:DetachVolume",
"ec2:AttachVolume",
"ec2:DescribeInstances",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeTags",
"ec2:DescribeVolumes"
],
"Resource": "*"
}]
}

It should be like this:

Find your EKS cluster’s role arn:

➜  ~ kubectl -n kube-system describe configmap aws-auth | grep role
rolearn: arn:aws:iam::905398248935:role/eksctl-adil-eks-cluster-nodegroup-NodeInstanceRole-EUND5KEK6W3O

You should attach the policy you have created to your EKS’s clusters role:

aws iam attach-role-policy --role-name eksctl-adil-eks-cluster-nodegroup-NodeInstanceRole-EUND5KEK6W3O --policy-arn arn:aws:iam::905398248935:policy/adil-blog-EKS-EC2-CSI-Permission

You may want to attach the policy via UI:

Attach Policies

Choose the policy you created:

That’s it. Your EKS Cluster should be able to create/delete EBS volumes now.

--

--