属于IAM组的AWS IAM用户不能承担IAM组允许承担的IAM角色?
属于IAM组的AWS IAM用户不能承担IAM组允许承担的IAM角色?
提问于 2021-02-28 04:31:40
我希望这个话题有意义。
我正在尝试在我的EKS集群上设置RBAC,并使用这个出色的演练作为指南,Kubernetes认证。
因此,我创建了一个名为EKSClusterAdminRole的IAM角色,它具有AmazonEKSClusterPolicy管理策略,允许该角色管理EKS集群。角色具有这种信任关系。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}然后,我创建了一个具有内联策略的EKSAdminGroup,该策略可以承担该角色,如下所示
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeOrganizationAccountRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::0123456789:role/EKSClusterAdminRole"
}
]
}我将现有的jenkins用户添加到该组中,如下所示
$ aws iam get-group --group-name EKSAdminGroup
{
"Group": {
"Path": "/",
"CreateDate": "2021-02-27T18:31:34Z",
"GroupId": "QRSTUVWXYZ",
"Arn": "arn:aws:iam::0123456789:group/EKSAdminGroup",
"GroupName": "EKSAdminGroup"
},
"Users": [
{
"UserName": "jenkins",
"Path": "/",
"CreateDate": "2014-11-04T14:03:17Z",
"UserId": "ABCEDFGHIJKLMNOP",
"Arn": "arn:aws:iam::0123456789:user/jenkins"
}
]
}这是我的ClusterRole和ClusterRoleBinding清单
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-admin-role
rules:
- apiGroups:
- ""
- "apps"
- "batch"
- "extensions"
resources:
- "configmaps"
- "cronjobs"
- "deployments"
- "events"
- "ingresses"
- "jobs"
- "pods"
- "pods/attach"
- "pods/exec"
- "pods/log"
- "pods/portforward"
- "secrets"
- "services"
verbs:
- "create"
- "delete"
- "describe"
- "get"
- "list"
- "patch"
- "update"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-admin-rolebinding
subjects:
- kind: Group
name: cluster-admins
roleRef:
kind: ClusterRole
name: cluster-admin-role
apiGroup: rbac.authorization.k8s.io现在,我在一台在~/.aws/credentials中具有上述~/.aws/credentials用户凭据的机器上。我想在那里执行kubectl命令。所以我知道
$ cat ~/.aws/credentials
[default]
aws_access_key_id = ABCEDFGHIJKLMNOP
aws_secret_access_key = *****
$ aws eks update-kubeconfig --name sandbox --region us-east-1 --role-arn arn:aws:iam::0123456789:role/EKSClusterAdminRole
Updated context arn:aws:eks:us-east-1:0123456789:cluster/sandbox in /home/ubuntu/.kube/config
$ kubectl config view
apiVersion: v1
kind: Config
...
users:
- name: arn:aws:eks:us-east-1:0123456789:cluster/sandbox
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- us-east-1
- eks
- get-token
- --cluster-name
- sandbox
- --role
- arn:aws:iam::0123456789:role/EKSClusterAdminRole
command: aws
env: null
provideClusterInfo: false这里是我的EKS集群的auth的一部分
apiVersion: v1
kind: ConfigMap
data:
mapRoles: |
- rolearn: arn:aws:iam::0123456789:role/EKSClusterAdminRole
username: cluster-admins但我得到了,例如
$ kubectl get ns
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::0123456789:user/jenkins is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::0123456789:role/EKSClusterAdminRole
Unable to connect to the server: getting credentials: exec: executable aws failed with exit code 255怎么回事?似乎我在疑难我的角色中做了所有与我的问题相关的事情。
回答 1
Stack Overflow用户
回答已采纳
发布于 2021-03-11 05:38:22
为了使这一工作,至少在我的用户可以承担的角色,我不得不添加到我的IAM EKSClusterAdminRole的信任关系
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com",
"AWS": "arn:aws:iam::0123456789:root" <-- add this line
},
"Action": "sts:AssumeRole"
}
]
}页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/66405842
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号