How Do You Troubleshoot the kubectl Message “Connection error: Unable to connect to the server:” with AWS?

Problem scenario
You are using Kubernetes in AWS.  When using a kubectl command you get this error: "Connection error: Unable to connect to the server:  getting credentials: exec: exit status 1  ... Could not get token: AccessDenied: Access denied"

What should you do?

Possible Solution #1
Was the user who created the Kubernetes cluster a different user from the user that is configured with your AWS CLI? Configure your AWS CLI to be the same user as the user that created the cluster.  Then try the command again.

Possible Solution #2
Check your Security Groups.  Is there an AWS firewall rule blocking connectivity?

Possible Solution #3
Has an Amazon Role been created? If not and you need assistance with this, see this posting.

Possible Solution #4
To ensure you have the correct AWS access key and secret key ID, create a new cluster with your AWS CLI credentials.

The command will look something like this (replace "contint" with the name you want to give your cluster):

aws eks create-cluster --name contint --role-arn arn:aws:iam::123456789:role/foobar --resources-vpc-config subnetIds=subnet-87cb36dd,subnet-2e1ba163,subnet-d355a3c1,securityGroupIds=sg-33e3abbe

The hyperlink in prerequisite ii can help you determine the "arn.../foobar" value.  If you do no know what subnet IDs or security group IDs to use, try these commands if you already have an EKS cluster running:

aws eks list-clusters

aws eks describe-cluster --name contint   # where "contint" is the name of the cluster that the above command produces

If you want more thorough directions for starting over, see one of these postings:
How Do You Use Amazon Elastic Kubernetes Service with the Web UI?
How Do You Use Amazon Elastic Kubernetes Service with the CLI?

You may also want to see these postings:
How Do You Find the Subnet ID values in AWS?
How Do You Find the Security Group ID Values in AWS?

Leave a comment

Your email address will not be published. Required fields are marked *