[Bug] Lack of some necessary IAM policies when enable karpenter from eksctl yaml file

[justin007755]

What were you trying to accomplish?

Enable karpenter in the eks cluster using eksctl

What happened?

I tried to follow below link to setup karpenter using eksctl, but always get below error, which shows some necessary iam policies for karpenter controller pod are missing.

https://docs.aws.amazon.com/eks/latest/eksctl/eksctl-karpenter.html

---

apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig

metadata:
name: Bigdata-Task-karpenter
region: cn-northwest-1
version: "1.34"
tags:
karpenter.sh/discovery: Bigdata-Task-karpenter

iam:
withOIDC: true

karpenter:
version: '1.9.0'

vpc:
id: "vpc-0faa6ca8b72cc1111"
cidr: "172.31.0.0/16"
subnets:
private:
awscli-subnet-pri03:
id: "subnet-0e6baaf4bf7e5a108"
cidr: "172.31.32.0/20"
awscli-subnet-pri04:
id: "subnet-0b9a147db425c2c69"
cidr: "172.31.64.0/24"

managedNodeGroups:

• name: base-control-node
  instanceType: t3.large
  desiredCapacity: 1
  minSize: 1
  maxSize: 2
  ...

---

How to reproduce it?

Only need to follow above eksctl yaml to reproduce this issue

Logs
Below is the error logs from karperter controller pod:

{"level":"ERROR","time":"2026-02-08T12:48:10.216Z","logger":"controller","message":"Reconciler error","commit":"e7e1327","controller":"instanceprofile.garbagecollection","namespace":"","name":"","reconcileID":"701f2d5d-2fd7-4ae5-be21-e9b3cd2abd2f","aws-error-code":"AccessDenied","aws-operation-name":"ListInstanceProfiles","aws-request-id":"ab26ba07-5302-41c6-ba09-6b31408462a8","aws-service-name":"IAM","aws-status-code":403,"error":"listing instance profiles, listing instance profiles, operation error IAM: ListInstanceProfiles, https response error StatusCode: 403, RequestID: ab26ba07-5302-41c6-ba09-6b31408462a8, api error AccessDenied: User: arn:aws-cn:sts::xxxxxxxxxxxx:assumed-role/eksctl-Bigdata-Task-karpenter-iamservice-role/1770554722369905944 is not authorized to perform: iam:ListInstanceProfiles on resource: arn:aws-cn:iam::xxxxxxxxxxxx:instance-profile/karpenter/cn-northwest-1/Bigdata-Task-karpenter/ because no identity-based policy allows the iam:ListInstanceProfiles action (aws-error-code=AccessDenied, aws-operation-name=ListInstanceProfiles, aws-request-id=ab26ba07-5302-41c6-ba09-6b31408462a8, aws-service-name=IAM, aws-status-code=403)"}

Anything else we need to know?
I tested multiple times with different versions of karpenter, like karpenter 1.2.1, 1.8.2 and 1.9.0

Versions
eksctl info
eksctl version: 0.221.0
kubectl version: v1.28.1-eks-43840fb
OS: linux

How to workaround?

I tried to follow below link to add all necessary IAM policies manually to workaround this issue
https://karpenter.sh/docs/reference/cloudformation/#karpentercontrollerpolicy

[github-actions]

Hello justin007755 👋 Thank you for opening an issue in eksctl project. The team will review the issue and aim to respond within 1-5 business days. Meanwhile, please read about the Contribution and Code of Conduct guidelines here. You can find out more information about eksctl on our website

[kprahulraj]

@justin007755 Thanks for raising the issue. We will take a look and update