Introduction

EKSCTL uses EKS managed addons (vpc-cni, coredns, aws-ebs-csi-driver) to simplify cluster management. When addon creation fails, the addon remains in degraded state, and pods relying on that addon's functionality encounter errors.

Symptoms

Addon creation failed:

```bash $ eksctl create addon --cluster my-cluster --name vpc-cni --force

Error: failed to create addon "vpc-cni" for cluster "my-cluster": addon "vpc-cni" is in degraded state ```

IAM role issues:

```bash $ eksctl create addon --cluster my-cluster --name aws-ebs-csi-driver

Error: IRSA not configured: cluster does not have an IAM OIDC provider ```

Version mismatch:

```bash $ eksctl create addon --cluster my-cluster --name coredns --version v1.8.0

Error: addon version "v1.8.0" is not compatible with Kubernetes version "1.27" ```

Common Causes

  1. 1.IAM OIDC provider missing - Cluster created without OIDC for IRSA
  2. 2.Service account not annotated -Addon needs IRSA but SA lacks role ARN
  3. 3.Addon version incompatible - Version doesn't match cluster K8s version
  4. 4.Existing conflict - Self-managed addon already installed
  5. 5.Permission denied - eksctl lacks IAM permissions
  6. 6.Network issues - VPC CNI addon can't configure networking
  7. 7.Resource quotas - Insufficient resources for addon pods

Step-by-Step Fix

  1. 1.Check logs for specific error messages
  2. 2.Verify configuration settings
  3. 3.Test network connectivity
  4. 4.Review recent changes
  5. 5.Apply corrective action
  6. 6.Verify the fix

Step 1: Check IAM OIDC Provider

```bash # Check if cluster has OIDC provider eksctl utils describe-stacks --cluster my-cluster --region us-west-2

# Look for OIDC provider in output # If missing, create it: eksctl utils associate-iam-oidc-provider --cluster my-cluster --approve

# Verify OIDC provider exists aws iam list-open-id-connect-providers \ --query 'OpenIDConnectProviderList[*].Arn' ```

Step 2: List Available Addon Versions

```bash # Get compatible addon versions for your cluster eksctl utils addon-versions --cluster my-cluster

# Or via AWS CLI aws eks describe-addon-versions \ --addon-name vpc-cni \ --kubernetes-version 1.27 \ --query 'Addons[*].AddonVersions[*].[AddonVersion,Compatibility]' ```

Step 3: Create Addon with Correct Version

```bash # Create addon with compatible version eksctl create addon \ --cluster my-cluster \ --name vpc-cni \ --version v1.12.0-eksbuild.1 \ --force

# Create with service account role eksctl create addon \ --cluster my-cluster \ --name aws-ebs-csi-driver \ --service-account-role-arn arn:aws:iam::123456789:role/EbsCsiDriverRole \ --force ```

Step 4: Check Existing Addons

```bash # List existing addons (managed and self-managed) eksctl get addons --cluster my-cluster

# Check addon status aws eks describe-addon \ --cluster-name my-cluster \ --addon-name vpc-cni \ --query 'Addon.{Status:Status,Health:HealthIssues}'

# Common statuses: # - ACTIVE: Working correctly # - DEGRADED: Has health issues # - CREATING: Being created # - FAILED: Creation failed ```

Step 5: Handle Existing Self-Managed Addon Conflict

```bash # If self-managed addon exists, you need to remove it first # Check for existing DaemonSet/Deployment kubectl get daemonset -n kube-system kubectl get deployment -n kube-system

# Remove self-managed CNI before installing managed addon kubectl delete daemonset aws-node -n kube-system

# Then create managed addon eksctl create addon --cluster my-cluster --name vpc-cni --force ```

Step 6: Create IAM Role for Addon

```bash # Create IAM role for addon with IRSA eksctl create iamserviceaccount \ --cluster my-cluster \ --name ebs-csi-controller-sa \ --namespace kube-system \ --role-name EbsCsiDriverRole \ --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \ --approve

# For VPC CNI, attach policy: eksctl create iamserviceaccount \ --cluster my-cluster \ --name aws-node \ --namespace kube-system \ --role-name VpcCniRole \ --attach-policy-arn arn:aws:iam::aws:policy/AmazonEKSVPCCNIPolicy \ --approve ```

Step 7: Verify Addon Health

```bash # Check addon health issues aws eks describe-addon \ --cluster-name my-cluster \ --addon-name vpc-cni \ --query 'Addon.HealthIssues'

# Check addon pods kubectl get pods -n kube-system -l k8s-app=aws-node

# Check pod logs kubectl logs -n kube-system -l k8s-app=aws-node ```

Step 8: Fix Degraded Addon

```bash # Force update addon eksctl update addon \ --cluster my-cluster \ --name vpc-cni \ --force

# Or delete and recreate eksctl delete addon --cluster my-cluster --name vpc-cni eksctl create addon --cluster my-cluster --name vpc-cni --version LATEST ```

Step 9: Check Addon Configuration

```bash # Get addon configuration aws eks describe-addon-configuration \ --addon-name vpc-cni \ --addon-version v1.12.0-eksbuild.1

# Apply custom configuration eksctl create addon \ --cluster my-cluster \ --name vpc-cni \ --configuration-values '{"env":{"ENABLE_PREFIX_DELEGATION":"true"}}' ```

Step 10: Verify Permissions

```bash # Check eksctl user has required permissions # Required IAM actions: # - eks:CreateAddon # - eks:DescribeAddon # - eks:DescribeAddonVersions # - iam:PassRole (if using service account role)

# If permission denied, check your IAM user/role aws sts get-caller-identity

# Verify eks:CreateAddon permission aws eks create-addon \ --cluster-name my-cluster \ --addon-name vpc-cni \ --addon-version v1.12.0-eksbuild.1 ```

EKS Managed Addons Reference

AddonPurposeRequired IAM
vpc-cniPod networkingAmazonEKSVPCCNIPolicy
corednsDNS resolutionNone
aws-ebs-csi-driverEBS volumesAmazonEBSCSIDriverPolicy
kube-proxyNetwork proxyNone

Verification

```bash # Check addon status after fix eksctl get addons --cluster my-cluster

# Should show ACTIVE status aws eks describe-addon \ --cluster-name my-cluster \ --addon-name vpc-cni \ --query 'Addon.Status'

# Verify addon pods running kubectl get pods -n kube-system -l k8s-app=aws-node ```

  • [Fix AWS EKS IAM Role for Service Account](/articles/fix-aws-eks-iam-role-for-service-account)
  • [Fix AWS EKS Pod to Pod Communication](/articles/fix-aws-eks-pod-to-pod-communication)
  • [Fix AWS EKS Node Not Ready](/articles/fix-aws-eks-node-not-ready)
  • [AWS troubleshooting: Fix IAM Permission Denied - Complete Tro](fix-iam-permission-denied)
  • [AWS cloud troubleshooting: AWS ACM Certificate Pending Validation Because the](aws-acm-certificate-pending-validation-wrong-route53-zone)
  • [AWS cloud troubleshooting: AWS ALB Returns 502 Because the Target Closed the ](aws-alb-502-target-closed-connection-keepalive-timeout-mismatch)
  • [AWS cloud troubleshooting: Fix AWS ALB CreateListener TargetGroupNotFound Err](aws-alb-createlistener-targetgroupnotfound)
  • [AWS cloud troubleshooting: Fix Aws Alb Lambda 502 Bad Gateway Issue in AWS](aws-alb-lambda-502-bad-gateway)

<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "TechArticle", "headline": "Fix AWS EKS EKSCTL Addon Not Creating", "description": "Troubleshoot EKSCTL addon creation failures. Fix IAM OIDC provider, service account annotations, and addon version compatibility.", "url": "https://www.fixwikihub.com/fix-aws-eks-eksctl-addon-not-creating", "publisher": { "@type": "Organization", "name": "FixWikiHub", "url": "https://www.fixwikihub.com" }, "author": { "@type": "Person", "name": "FixWikiHub Editorial Team" }, "datePublished": "2026-04-01T20:27:40.286Z", "dateModified": "2026-04-01T20:27:40.286Z" } </script>