How to troubleshoot IAM issues on EKS
The first thing you need to do is determine whether this is an IAM permissions issue. If we look at the error message in the following example, we can see a very clear AccessDenied error message for an AWS API operation – in this case, the ListBuckets operations. This is a clear indicator that it’s an IAM error:
$ kubectl run -ti cli --image=amazon/aws-cli --overrides='{ "spec": { "serviceAccount": "default" } }' s3 ls
If you don't see a command prompt, try pressing enter.
An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied
The first step is to determine which SA is being used and work backward from there. In the example, it’s pretty clear, as we have the run command. However, assuming we don’t have it, we can use the next command to figure it out:
$ kubectl get po cli -o yaml | grep serviceAccountName ...
