Serviceaccount is forbidden

[ahaduyeheyis-govini]

Hello,

I'm using the terraform-aws-modules/eks/aws(version: 20.2.1) module to provision an EKS cluster and then using this module to bootstrap the cluster with some needed services. I wanted to install the metrics server to test out the processes but I keep getting an error. Here is my addon modue setup:

module "eks_blueprints_addons" {
  source = "aws-ia/eks-blueprints-addons/aws"
  version = "~> 1.0"

  cluster_name      = module.eks.cluster_name
  cluster_endpoint  = module.eks.cluster_endpoint
  cluster_version   = module.eks.cluster_version
  oidc_provider_arn = module.eks.oidc_provider_arn

  enable_metrics_server                  = true
  metrics_server = {
    chart_version = "3.12.0"
    values        = [templatefile("${path.module}/environments/common/metrics-server/values.yaml", {})]
  }

  tags = var.tags
}

This the error I get:

│ Error: Unable to continue with install: could not get information about the resource ServiceAccount "metrics-server" in namespace "kube-system": serviceaccounts "metrics-server" is forbidden: User "system:serviceaccount:*:default" cannot get resource "serviceaccounts" in API group "" in the namespace "kube-system"
│ 
│   with module.eks_blueprints_addons.module.metrics_server.helm_release.this[0],
│   on .terraform/modules/eks_blueprints_addons.metrics_server/main.tf line 9, in resource "helm_release" "this":
│    9: resource "helm_release" "this" {

I'm using the same user to run eks creation and addon and I made sure enable_cluster_creator_admin_permissions is set to true so the creator should have full access to the cluster. My cluster version is 1.29. I have also tried creating a new namespace or using the default namespace and it's the same issue.

Any help would be greatly appreciated.
Thank You

[ahaduyeheyis-govini]

I figured out the issue. I had to define the provider helm and ensure it was pointing to the correct cluster.

provider "helm" {
  kubernetes {
    host                   = module.eks.cluster_endpoint
    cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)

    exec {
      api_version = "client.authentication.k8s.io/v1beta1"
      command     = "aws"
      # This requires the awscli to be installed locally where Terraform is executed
      args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name, "--region", var.region]
    }
  }
}