[EKS] [request]: auto mode: Allow access to managed-control-plane component logs

[aslatter]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Which service(s) is this request for?
EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
Successfully debugging auto-mode issues like #2486 is challenging without access to logs related to components AWS is managing for us in the managed control-plane. Taking operational overhead off my plate is great, but I am responsible for IAM and SG related build which can have subtle errors when using advanced features like IAM paths and permission boundaries. Having customer access to logs can reduce the cycle-time for issue resolution (even in the cases where support needs to be pulled in).

Are you currently working around this issue?
N/A

Additional context
N/A

Attachments
If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)

[aslatter]

To add a more concrete use-case: I'm debugging an issue where my IAM policies are causing ec2:RunInstances to fail with a not-authorized error. The CloudTrail log includes the encoded authorization failure message, but it is truncated due to length-limits in CloudTrail which makes the decode-operation fail. Presumably the Karpenter logs would not be truncated and I would be able to get additional information to help in my debugging.