Fix Terraform Error - Error Creating EKS Cluster - AccessDeniedException

Name: Ansible Automation Platform By Example
Author: Luca Berton

How to fix AccessDeniedException when creating EKS clusters in Terraform. Configure IAM roles, service-linked roles, and VPC permissions.

Fix Terraform Error - Error Creating EKS Cluster - AccessDeniedException

August 31, 2025
2 min read
Posted by Luca Berton
Terraform, Troubleshooting, DevOps, Error Fix, Infrastructure as Code

The Error

Error creating EKS Cluster: AccessDeniedException: User is not authorized to perform eks:CreateCluster

What Causes This

The IAM user or role running Terraform doesn’t have sufficient permissions to create EKS clusters. EKS requires specific IAM permissions for the cluster, node groups, networking, and service-linked roles.

How to Fix It

Solution 1: Add Required IAM Permissions

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "eks:*",
        "ec2:DescribeSubnets",
        "ec2:DescribeVpcs",
        "ec2:DescribeSecurityGroups",
        "ec2:CreateSecurityGroup",
        "ec2:DeleteSecurityGroup",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:AuthorizeSecurityGroupEgress",
        "ec2:CreateTags",
        "iam:PassRole",
        "iam:CreateServiceLinkedRole"
      ],
      "Resource": "*"
    }
  ]
}

Solution 2: Create EKS Cluster Role

resource "aws_iam_role" "eks_cluster" {
  name = "eks-cluster-role"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Action    = "sts:AssumeRole"
      Effect    = "Allow"
      Principal = { Service = "eks.amazonaws.com" }
    }]
  })
}

resource "aws_iam_role_policy_attachment" "eks_cluster" {
  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
  role       = aws_iam_role.eks_cluster.name
}

resource "aws_eks_cluster" "main" {
  name     = "production"
  role_arn = aws_iam_role.eks_cluster.arn
  vpc_config {
    subnet_ids = aws_subnet.private[*].id
  }
}

Solution 3: Service-Linked Role

# EKS needs a service-linked role — create if missing
aws iam create-service-linked-role --aws-service-name eks.amazonaws.com

Prevention Tips

Pin provider versions — avoid surprise breaking changes
Use CI/CD — catch errors before they hit production
Test with terraform plan — always review before applying
Keep Terraform updated — newer versions have better error messages
Use terraform validate — catches syntax errors early

Hands-On Courses

Learn to avoid these errors with interactive, project-based courses:

Terraform for Beginners on CopyPasteLearn
Terraform By Example — practical code examples
Terraform Cheat Sheet — quick reference for all commands

Conclusion

This error is common and fixable. Follow the solutions above, and check our Terraform course for hands-on training that covers real-world troubleshooting scenarios.