Unable to create cluster due to missing permission

[yubingjiaocn]

A customer was not able to deploy Custom Resources Custom::AWSCDK-EKS-KubernetesResource when deploying stack. Here is one of create failure event:

The error message on Cloudformation is:
Custom::AWSCDK-EKS-KubernetesResource EKSStackAwsAuthmanifest75D20040 CREATE_FAILED Received response status [FAILED] from custom resource. Message returned: TimeoutError: {"state":"TIMEOUT","reason":"Waiter has timed out"} at checkExceptions ...

Also found the following error message in CloudTrail:
User: arn:aws:sts::[redacted]:assumed-role/EKSStack-awscdka-ProviderframeworkonEventS-duAmMCwNZO6z/EKSStack-awscdka-ProviderframeworkonEvent-4NeK4zj7Z6ab is not authorized to perform: lambda:GetFunctionConfiguration on resource: arn:aws:lambda:[redacted]:[redacted]:function:EKSStack-awscdkawseksKube-Handler886CB40B-3fOpwrZnomNI because no identity-based policy allows the lambda:GetFunctionConfiguration action

They failed with permission issue. Because before custom resources created failed, there were many lambda:GetFunctionConfiguration access denied events [2].

The workaround was that manually add the following IAM permission to provider lambda execution role , and then update the stack, the template could be deployed successfully.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "lambda:GetFunctionConfiguration",
            "Resource": "arn:aws:lambda:us-west-2:099871370578:function:SdOnEksStackStack-awscdkawseksKube-Handler886CB40B-3fOpwrZnomNI"
        }
    ]
}

This issue may related to upstream CDK issue: aws/aws-cdk#26838

[yubingjiaocn]

Closed as #5 merged.