未授权执行sts:AssumeRoleWithWebIdentity在列出来自AWS S3的文件时

Question

我是新来的AWS，有点被一个特殊的错误所困扰。我环顾四周，但还没有找到一个好的答案。

我有一个Kubernetes EKS集群，并且正在尝试从Pod中的S3桶中读取。在执行aws s3 ls之后，我得到以下错误：

An error occurred (AccessDenied) when calling the AssumeRoleWithWebIdentity operation: Not authorized to perform sts:AssumeRoleWithWebIdentity

当我运行sudo aws s3 ls时，我确实看到了S3桶中的所有文件。

我运行这个程序的Pod看起来如下所示：

apiVersion: v1
kind: Pod
metadata:
  annotations:
    kubernetes.io/psp: eks.privileged
  creationTimestamp: "2022-03-08T02:22:14Z"
  generateName: k8sray-cloud-head-
  labels:
    cluster.ray.io/component: k8sray-cloud-ray-head
    ray-cluster-name: k8sray-cloud
    ray-file-mounts-contents: da39a3ee5e6b4b0d3255bfef95601890afd80709
    ray-launch-config: 9c53947fee819b4275ae8211895b80d2566b60f4
    ray-node-name: k8sray-cloud-head
    ray-node-status: up-to-date
    ray-node-type: head
    ray-node-uuid: 9a6be68f-d342-4be0-b430-4a4897a4b102
    ray-runtime-config: 4221eb98d4ff536b31e5e087d599091ccbbb488d
    ray-user-node-type: head-node
  name: k8sray-cloud-head-c58v8
  namespace: example
  ownerReferences:
  - apiVersion: cluster.ray.io/v1
    blockOwnerDeletion: true
    controller: true
    kind: RayCluster
    name: k8sray-cloud
    uid: a63d636c-fe59-4119-b86b-33dbd490e77e
  resourceVersion: "149506313"
  selfLink: /api/v1/namespaces/ds7/pods/k8sray-cloud-head-c58v8
  uid: 8520596a-0919-4533-84aa-f179c4274314
spec:
  containers:
  - args:
    - 'trap : TERM INT; touch /tmp/raylogs; tail -f /tmp/raylogs; sleep infinity &
      wait;'
    command:
    - /bin/bash
    - -c
    - --
    env:
    - name: AWS_DEFAULT_REGION
      value: <region>
    - name: AWS_REGION
      value: <region>
    - name: AWS_ROLE_ARN
      value: arn:aws:iam::<appropriate id>:role/<role>
    - name: AWS_WEB_IDENTITY_TOKEN_FILE
      value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
    image: <image>
    imagePullPolicy: IfNotPresent
    name: ray-node
    ports:
    - containerPort: 6379
      protocol: TCP
    - containerPort: 10001
      protocol: TCP
    - containerPort: 8265
      protocol: TCP
    - containerPort: 8000
      protocol: TCP
    resources:
      limits:
        cpu: "2"
        memory: 4Gi
        nvidia.com/gpu: "0"
      requests:
        cpu: "2"
        ephemeral-storage: 1Gi
        memory: 4Gi
        nvidia.com/gpu: "0"
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /dev/shm
      name: dshm
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: k8sva-01-token-w55qf
      readOnly: true
    - mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount
      name: aws-iam-token
      readOnly: true
  dnsPolicy: ClusterFirst
  enableServiceLinks: true
  nodeName: <left-blank>
  priority: 0
  restartPolicy: Always
  schedulerName: default-scheduler
  securityContext:
    fsGroup: 65534
  serviceAccount: k8sva-01
  serviceAccountName: k8sva-01
  terminationGracePeriodSeconds: 30
  tolerations:
  - effect: NoExecute
    key: node.kubernetes.io/not-ready
    operator: Exists
    tolerationSeconds: 300
  - effect: NoExecute
    key: node.kubernetes.io/unreachable
    operator: Exists
    tolerationSeconds: 300
  volumes:
  - name: aws-iam-token
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          audience: sts.amazonaws.com
          expirationSeconds: 86400
          path: token
  - emptyDir:
      medium: Memory
    name: dshm
  - name: k8sva-01-token-w55qf
    secret:
      defaultMode: 420
      secretName: k8sva-01-token-random
status:
  conditions:
  - lastProbeTime: null
    lastTransitionTime: "2022-03-08T02:22:14Z"
    status: "True"
    type: Initialized
  - lastProbeTime: null
    lastTransitionTime: "2022-03-08T02:22:16Z"
    status: "True"
    type: Ready
  - lastProbeTime: null
    lastTransitionTime: "2022-03-08T02:22:16Z"
    status: "True"
    type: ContainersReady
  - lastProbeTime: null
    lastTransitionTime: "2022-03-08T02:22:14Z"
    status: "True"
    type: PodScheduled
  containerStatuses:
  - containerID: docker://0c10ab356dbc042aaf88b45c357d9f0882a03eff062c3da9fa2db65f7fcaae84
    image: <some-image>
    imageID: <some-image-id>
    lastState: {}
    name: ray-node
    ready: true
    restartCount: 0
    started: true
    state:
      running:
        startedAt: "2022-03-08T02:22:15Z"

链接的服务帐户如下所示：

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::<appropriate-name>:role/<role>
  creationTimestamp: "2022-03-08T01:11:56Z"
  name: k8sva-01
  namespace: example
  resourceVersion: "149488496"
  selfLink: /api/v1/namespaces/ds7/serviceaccounts/k8sva-01
  uid: 019fe48c-cfec-4961-824c-31bc867b59f8
secrets:
- name: k8sva-01-token-random

相互关联的IAM作用具有以下信任政策：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

我试过以下几种方法：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<appropriate-name>:oidc-provider/<oidc-provider>"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "<oidc-provider>:sub": "system:serviceaccount:*",
                    "<oidc-provider>:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}

如何解决此错误？

Answer 1

您应该尝试使用只包含:sub条件的信任策略，而不使用:aud。比如：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<appropriate-name>:oidc-provider/<oidc-provider>"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "<oidc-provider>:sub": "system:serviceaccount:<namespace>:<sa>"
                }
            }
        }
    ]
}

请注意，如果使用通配符，则应使用"StringLike“运算符，而不是"StringEquals”运算符。