CreateError - Error, cannot get Kubernetes nodegroup list from cloud provider

I am encountering an issue while setting up Kubernetes on Qovery. The error message displayed is:

“CreateError - Error, cannot get Kubernetes nodegroup list from your cloud provider.”

I have thoroughly reviewed the IAM permissions and verified that all necessary permissions, including:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:AttachRolePolicy",
                "iam:PassRole",
                "iam:DeleteRole",
                "iam:DetachRolePolicy",
                "iam:PutRolePolicy",
                "iam:DeleteRolePolicy",
                "s3:ListAllMyBuckets",
                "cloudwatch:*",
                "autoscaling:*",
                "application-autoscaling:*",
                "elasticloadbalancing:*",
                "dynamodb:*",
                "ecr:*",
                "ec2:*",
                "elasticache:*",
                "cloudtrail:LookupEvents",
                "kms:*",
                "tag:GetResources",
                "rds:*",
                "ecs:*",
                "eks:*",
                "logs:*",
                "events:DescribeRule",
                "events:DeleteRule",
                "events:ListRuleNamesByTarget",
                "events:ListTargetsByRule",
                "events:PutRule",
                "events:PutTargets",
                "es:AddTags",
                "es:RemoveTags",
                "es:ListTags",
                "es:DeleteElasticsearchDomain",
                "es:DescribeElasticsearchDomain",
                "es:CreateElasticsearchDomain",
                "events:RemoveTargets",
                "events:TagResource",
                "events:ListTagsForResource"
            ],
            "Resource": "*"
        },
        {
            "Action": [
                "s3:*",
                "sqs:*"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::qovery*",
                "arn:aws:s3:::qovery*/*",
                "arn:aws:sqs:*:*:qovery*",
                "arn:aws:sqs:*:*:qovery*/*"
            ]
        }
    ]
}

are correctly configured. Additionally, the secret key and access credentials have been properly set up, and the IAM role associated with Qovery has the required access rights.

Despite these configurations, Qovery still seems unable to retrieve the node group list from the cloud provider. Please advise on any additional steps that might be required or any further diagnostics I should perform on my end to resolve this issue.

Hello @unocat ,

I forwarded your problem to the team,
I’ll get back to you with a solution

Regards,
Charles-Edouard

@unocat ,

The team is looking at your problem,
we will try to install your cluster again.

Regards,

@unocat ,

It looks like we have an IAM error.

Can you try to update the policy to match the permission you have here.

You can check step 5, the policy should be:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:*",
                "s3:ListAllMyBuckets",
                "cloudwatch:*",
                "autoscaling:*",
                "application-autoscaling:*",
                "elasticloadbalancing:*",
                "organizations:DescribeAccount",
                "organizations:DescribeOrganization",
                "organizations:DescribeOrganizationalUnit",
                "organizations:DescribePolicy",
                "organizations:ListChildren",
                "organizations:ListParents",
                "organizations:ListPoliciesForTarget",
                "organizations:ListRoots",
                "organizations:ListPolicies",
                "organizations:ListTargetsForPolicy",
                "dynamodb:*",
                "ecr:*",
                "ec2:*",
                "elasticache:*",
                "cloudtrail:LookupEvents",
                "dynamodb:*",
                "tag:GetResources",
                "rds:*",
                "ecs:*",
                "eks:*",
                "logs:*",
                "events:DescribeRule",
                "events:DeleteRule",
                "events:ListRuleNamesByTarget",
                "events:ListTargetsByRule",
                "events:PutRule",
                "events:PutTargets",
                "es:AddTags",
                "es:RemoveTags",
                "es:ListTags",
                "es:DeleteElasticsearchDomain",
                "es:DescribeElasticsearchDomain",
                "es:CreateElasticsearchDomain",
                "events:RemoveTargets",
                "kms:*",
                "events:TagResource",
                "events:ListTagsForResource"
            ],
            "Resource": "*"
        },
        {
            "Action": [
                "s3:*",
                "sqs:*"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::qovery*",
                "arn:aws:s3:::qovery*/*",
                "arn:aws:sqs:*:*:qovery*",
                "arn:aws:sqs:*:*:qovery*/*"
            ]
        }
    ]
}

Please let me know if this is helpful for you.

Regards,
Charles-Edouard

After modifying the IAM permissions, the deployment was successfully created. Thank you!