No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

so if you look at the kubeconfig, it actually uses `aws eks get-token`
<https://github.com/pulumi/pulumi-eks/blob/c5fcceb8746b0ae2c1ef859fe1a7e4f70ec12398/nodejs/eks/cluster.ts#L187>

So it may be your AWS IAM role might not have permission to do that

I bound it to the administrator policy for testing

makes sense, ultimately that message is coming from kubectl not having access

<https://github.com/pulumi/pulumi-eks/issues/405#issuecomment-652163657>

i want to use the links in these comments but they seem dead

<https://github.com/pulumi/pulumi-eks/issues/405#issuecomment-651210871>

<https://github.com/pulumi/docs/issues/2637>

<https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/eks/#CreationRoleProvider>

yes i think that's what's missing, you'd need to add it to the `aws-auth` configmap

i did that already with the `rolemappings` in the cluster

ah interesting. in your ci pipeline, can you maybe try a kubectl command with the generated kubeconfig?

Turns out pulumi needs to also know what the role is via <@UCWG26BH7>
```providerCredentialOpts```

the pulumi code also has to be aware of the role