问AWS EKS:用户无权在资源上执行: iam:CreateRole

EN

eksctl create cluster \
            --name claireudacitycapstoneproject \
            --version 1.17 \
            --region us-east-1 \
            --nodegroup-name standard-workers \
            --node-type t2.micro \
            --nodes 2 \
            --nodes-min 1 \
            --nodes-max 3 \
            --managed

2021-10-22 21:25:46 [ℹ]  eksctl version 0.70.0
2021-10-22 21:25:46 [ℹ]  using region us-east-1
2021-10-22 21:25:48 [ℹ]  setting availability zones to [us-east-1a us-east-1b]
2021-10-22 21:25:48 [ℹ]  subnets for us-east-1a - public:192.168.0.0/19 private:192.168.64.0/19
2021-10-22 21:25:48 [ℹ]  subnets for us-east-1b - public:192.168.32.0/19 private:192.168.96.0/19
2021-10-22 21:25:48 [ℹ]  nodegroup "standard-workers" will use "" [AmazonLinux2/1.17]
2021-10-22 21:25:48 [ℹ]  using Kubernetes version 1.17
2021-10-22 21:25:48 [ℹ]  creating EKS cluster "claireudacitycapstoneproject" in "us-east-1" region with managed nodes
2021-10-22 21:25:48 [ℹ]  will create 2 separate CloudFormation stacks for cluster itself and the initial managed nodegroup
2021-10-22 21:25:48 [ℹ]  if you encounter any issues, check CloudFormation console or try 'eksctl utils describe-stacks --region=us-east-1 --cluster=claireudacitycapstoneproject'
2021-10-22 21:25:48 [ℹ]  CloudWatch logging will not be enabled for cluster "claireudacitycapstoneproject" in "us-east-1"
2021-10-22 21:25:48 [ℹ]  you can enable it with 'eksctl utils update-cluster-logging --enable-types={SPECIFY-YOUR-LOG-TYPES-HERE (e.g. all)} --region=us-east-1 --cluster=claireudacitycapstoneproject'
2021-10-22 21:25:48 [ℹ]  Kubernetes API endpoint access will use default of {publicAccess=true, privateAccess=false} for cluster "claireudacitycapstoneproject" in "us-east-1"
2021-10-22 21:25:48 [ℹ]  
2 sequential tasks: { create cluster control plane "claireudacitycapstoneproject", 
    2 sequential sub-tasks: { 
        wait for control plane to become ready,
        create managed nodegroup "standard-workers",
    } 
}
2021-10-22 21:25:48 [ℹ]  building cluster stack "eksctl-claireudacitycapstoneproject-cluster"
2021-10-22 21:25:51 [ℹ]  deploying stack "eksctl-claireudacitycapstoneproject-cluster"
2021-10-22 21:26:21 [ℹ]  waiting for CloudFormation stack "eksctl-claireudacitycapstoneproject-cluster"
2021-10-22 21:26:52 [ℹ]  waiting for CloudFormation stack "eksctl-claireudacitycapstoneproject-cluster"
2021-10-22 21:26:54 [✖]  unexpected status "ROLLBACK_IN_PROGRESS" while waiting for CloudFormation stack "eksctl-claireudacitycapstoneproject-cluster"
2021-10-22 21:26:54 [ℹ]  fetching stack events in attempt to troubleshoot the root cause of the failure
2021-10-22 21:26:54 [!]  AWS::EC2::EIP/NATIP: DELETE_IN_PROGRESS
2021-10-22 21:26:54 [!]  AWS::EC2::VPC/VPC: DELETE_IN_PROGRESS
2021-10-22 21:26:54 [!]  AWS::EC2::InternetGateway/InternetGateway: DELETE_IN_PROGRESS
2021-10-22 21:26:54 [✖]  AWS::EC2::VPC/VPC: CREATE_FAILED – "Resource creation cancelled"
2021-10-22 21:26:54 [✖]  AWS::EC2::InternetGateway/InternetGateway: CREATE_FAILED – "Resource creation cancelled"
2021-10-22 21:26:54 [✖]  AWS::EC2::EIP/NATIP: CREATE_FAILED – "Resource creation cancelled"
2021-10-22 21:26:54 [✖]  AWS::IAM::Role/ServiceRole: CREATE_FAILED – "API: iam:CreateRole User: arn:aws:iam::602502938985:user/CLI is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::602502938985:role/eksctl-claireudacitycapstoneproject-cl-ServiceRole-4CR9Z6NRNU49 with an explicit deny"
2021-10-22 21:26:54 [!]  1 error(s) occurred and cluster hasn't been created properly, you may wish to check CloudFormation console
2021-10-22 21:26:54 [ℹ]  to cleanup resources, run 'eksctl delete cluster --region=us-east-1 --name=claireudacitycapstoneproject'
2021-10-22 21:26:54 [✖]  ResourceNotReady: failed waiting for successful resource state
Error: failed to create cluster "claireudacitycapstoneproject"

Error: checking AWS STS access – cannot get role ARN for current session: RequestError: send request failed