How to Solve Kubernetes EBS CSI Driver UnauthorizedOperation Error?

2 min readAug 1, 2023

If your Kubernetes EC2 nodes lack the necessary IAM roles, they will be unable to create or remove EBS volumes.

***** You can follow me on LinkedIn *****

Photo by Arun Prakash on Unsplash

You may have seen this error in your logs:  
failed to provision volume with StorageClass "ebs-storageclass": rpc error: code = Internal desc = Could not create volume "pvc-86762d01-e618-4b2c-8dcf-7508955d870b":
could not create volume in EC2: UnauthorizedOperation: You are not authorized to perform this operation.
Encoded authorization failure message: ...

You should create a new policy on IAM:

"Version": "2012-10-17",
"Statement": [{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"Resource": "*"

It should be like this:

Find your EKS cluster’s role arn:

➜  ~ kubectl -n kube-system describe configmap aws-auth | grep role
rolearn: arn:aws:iam::905398248935:role/eksctl-adil-eks-cluster-nodegroup-NodeInstanceRole-EUND5KEK6W3O

You should attach the policy you have created to your EKS’s clusters role:

aws iam attach-role-policy --role-name eksctl-adil-eks-cluster-nodegroup-NodeInstanceRole-EUND5KEK6W3O --policy-arn arn:aws:iam::905398248935:policy/adil-blog-EKS-EC2-CSI-Permission

You may want to attach the policy via UI:

Attach Policies

Choose the policy you created:

That’s it. Your EKS Cluster should be able to create/delete EBS volumes now.