EKS 无法使用 Kubectl 向 Kubernetes 进行身份验证 - "User: is not authorized to perform: sts:AssumeRole"

Question

我最初运行 aws --region eu-west-1 eks update-kubeconfig --name prod-1234 --role-arn arn:aws:iam::1234:user/chris-devops 访问 EKS 集群。

在执行类似以下操作时：kubectl get ... 我收到以下错误：

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::1234:user/chris-devops is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::1234:user/chris-devops

为什么会出现此错误？我如何获得访问权限？

我已将以下内容添加到用户：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": "arn:aws:iam::1234:user/chris-devops"
        }
    ]
}

此外，我还有完全管理员权限：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

我已通读：https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_cant-assume-role

我的理解是我符合所有标准。

Answer 1

aws eks --region eu-west-1 update-kubeconfig --name prod-eks-3flXvI2r --role-arn http://arn:aws:iam::1234:role/prod-eks-1234-admins

我必须指定正确的角色...Woohooo

Answer 2

你的政策是错误的。用户不能承担另一个 IAM 用户。它应该是这样的：

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "sts:AssumeRole"
        ],
        "Resource": "arn:aws:iam::1234:role/prod-Eks-1234-admins"
    }
]
}

EKS 无法使用 Kubectl 向 Kubernetes 进行身份验证 - "User: is not authorized to perform: sts:AssumeRole"

EKS not able to authenticate to Kubernetes with Kubectl - "User: is not authorized to perform: sts:AssumeRole"

amazon-web-services

kubernetes

amazon-eks