Understanding AWS IAM Role Permissions for EKS in Spacelift Stacks

Last updated: September 8, 2025

When using Kubernetes providers with EKS clusters in Spacelift, it's important to understand how different AWS IAM roles are used during plan and apply phases, especially when you have separate read and write AWS integrations configured.

How Spacelift Uses AWS Integrations

When a stack has both read and write AWS integrations:

  • During the plan phase, Spacelift uses the read-only integration

  • During apply or task operations, Spacelift uses the write integration

Troubleshooting "Unauthorized" Errors with EKS

If you encounter "Unauthorized" errors when using the Kubernetes provider with EKS clusters, particularly during the plan phase, this is likely due to IAM role permissions. Even though the error comes from Kubernetes (401 Unauthorized), it's often related to AWS IAM authentication since EKS uses AWS IAM for authentication.

Resolution

To resolve this issue, you have two options:

  1. Configure a single AWS integration with both read and write permissions for the stack instead of separate read/write integrations

  2. Ensure both the read and write IAM roles are properly authorized in your EKS cluster's aws-auth ConfigMap

Recommendation: Using a single AWS integration with combined read/write permissions is generally simpler to manage and less prone to authentication issues.

For more information about AWS integrations in Spacelift, see our documentation on AWS read vs write permissions.