How to Solve Kubernetes EBS CSI Driver UnauthorizedOperation Error?

If your Kubernetes EC2 nodes lack the necessary IAM roles, they will be unable to create or remove EBS volumes.

Photo by Arun Prakash on Unsplash

You may have seen this error in your logs:

ebs.csi.aws.com_ebs-csi-controller-5b769c467d-pk4pz_353ab676-bef1-4762-a1e6-4bf681481bde  
failed to provision volume with StorageClass "ebs-storageclass": rpc error: code = Internal desc = Could not create volume "pvc-86762d01-e618-4b2c-8dcf-7508955d870b": 
could not create volume in EC2: UnauthorizedOperation: You are not authorized to perform this operation. 
Encoded authorization failure message: ...

You should create a new policy on IAM:

{
 "Version": "2012-10-17",
 "Statement": [{
  "Sid": "VisualEditor0",
  "Effect": "Allow",
  "Action": [
   "ec2:CreateVolume",
   "ec2:DeleteVolume",
   "ec2:DetachVolume",
   "ec2:AttachVolume",
   "ec2:DescribeInstances",
   "ec2:CreateTags",
   "ec2:DeleteTags",
   "ec2:DescribeTags",
   "ec2:DescribeVolumes"
  ],
  "Resource": "*"
 }]
}

It should be like this:

Find your EKS cluster’s role arn:

➜  ~ kubectl -n kube-system describe configmap aws-auth | grep role

rolearn: arn:aws:iam::905398248935:role/eksctl-adil-eks-cluster-nodegroup-NodeInstanceRole-EUND5KEK6W3O

You should attach the policy you have created to your EKS’s clusters role:

aws iam attach-role-policy --role-name eksctl-adil-eks-cluster-nodegroup-NodeInstanceRole-EUND5KEK6W3O --policy-arn arn:aws:iam::905398248935:policy/adil-blog-EKS-EC2-CSI-Permission

You may want to attach the policy via UI:

Attach Policies

Choose the policy you created:

That’s it. Your EKS Cluster should be able to create/delete EBS volumes now.