如何将相同的 RBAC 角色分配给两个不同的 IAM 角色以访问 EKS 中的集群?
How can I assign the same RBAC role to two different IAM roles to access a cluster in EKS?
我想授予某个团队访问 RBAC 中 system:masters 组的权限。我的团队(下面示例中的 AWSReservedSSO_Admin_xxxxxxxxxx)已经拥有它,并且当我只添加那个 rolearn 时它可以工作,但是当我将下面的配置映射与额外的 rolearn 一起应用时,AWSReservedSSO_Dev_xxxxxxxxxx角色在尝试访问集群时仍然出现此错误:error: You must be logged in to the server (Unauthorized)
(注意:我们使用的是 AWS SSO,因此假定了 IAM 角色):
---
apiVersion: v1
kind: ConfigMap
data:
mapRoles: |
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/eks-node-group
groups:
- system:bootstrappers
- system:nodes
username: system:node:{{EC2PrivateDNSName}}
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Admin_xxxxxxxxxx
groups:
- system:masters
username: admin
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx
groups:
- system:masters
username: admin
metadata:
name: aws-auth
namespace: kube-system
我不确定您是如何担任这些角色的 ❓ 并且您的配置看起来不错,但原因可能是您将同一用户映射到两个不同的角色。 AWS IAM 只允许用户一次只承担一个角色,basically, as an AWS IAM user, you can't assume multiple IAM roles at the same time.
您可以尝试不同的用户,看看它是否适合您。
---
apiVersion: v1
kind: ConfigMap
data:
mapRoles: |
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/eks-node-group
groups:
- system:bootstrappers
- system:nodes
username: system:node:{{EC2PrivateDNSName}}
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Admin_xxxxxxxxxx
groups:
- system:masters
username: admin
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx
groups:
- system:masters
username: admin2
metadata:
name: aws-auth
namespace: kube-system
您可能缺少的另一个方面是 arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx 角色中的 'Trust Relationship' 允许 admin 担任该角色。
✌️☮️
谢谢里科。当您使用 SSO 登录时,您将承担 STS 中的角色。您可以通过 运行ning aws sts get-caller-identity.
来验证这一点
你是对的,用户名错误,但这并没有解决整个问题。
花了很长时间,但我的队友终于找到了这个问题的解决方案in this guide
问题是 IAM 角色的 ARN:
rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx
这部分 aws-reserved/sso.amazonaws.com/ 需要从名称中删除。所以最后结合 Rico 建议的用户名修复:
---
apiVersion: v1
kind: ConfigMap
data:
mapRoles: |
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/eks-node-group
groups:
- system:bootstrappers
- system:nodes
username: system:node:{{EC2PrivateDNSName}}
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/AWSReservedSSO_Admin_xxxxxxxxxx
groups:
- system:masters
username: admin
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/AWSReservedSSO_Dev_xxxxxxxxxx
groups:
- system:masters
username: admin2
metadata:
name: aws-auth
namespace: kube-system
问题终于得到解决,担任该角色的 SSO 用户可以 运行 kubectl 命令!
我想授予某个团队访问 RBAC 中 system:masters 组的权限。我的团队(下面示例中的 AWSReservedSSO_Admin_xxxxxxxxxx)已经拥有它,并且当我只添加那个 rolearn 时它可以工作,但是当我将下面的配置映射与额外的 rolearn 一起应用时,AWSReservedSSO_Dev_xxxxxxxxxx角色在尝试访问集群时仍然出现此错误:error: You must be logged in to the server (Unauthorized)
(注意:我们使用的是 AWS SSO,因此假定了 IAM 角色):
---
apiVersion: v1
kind: ConfigMap
data:
mapRoles: |
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/eks-node-group
groups:
- system:bootstrappers
- system:nodes
username: system:node:{{EC2PrivateDNSName}}
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Admin_xxxxxxxxxx
groups:
- system:masters
username: admin
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx
groups:
- system:masters
username: admin
metadata:
name: aws-auth
namespace: kube-system
我不确定您是如何担任这些角色的 ❓ 并且您的配置看起来不错,但原因可能是您将同一用户映射到两个不同的角色。 AWS IAM 只允许用户一次只承担一个角色,basically, as an AWS IAM user, you can't assume multiple IAM roles at the same time.
您可以尝试不同的用户,看看它是否适合您。
---
apiVersion: v1
kind: ConfigMap
data:
mapRoles: |
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/eks-node-group
groups:
- system:bootstrappers
- system:nodes
username: system:node:{{EC2PrivateDNSName}}
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Admin_xxxxxxxxxx
groups:
- system:masters
username: admin
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx
groups:
- system:masters
username: admin2
metadata:
name: aws-auth
namespace: kube-system
您可能缺少的另一个方面是 arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx 角色中的 'Trust Relationship' 允许 admin 担任该角色。
✌️☮️
谢谢里科。当您使用 SSO 登录时,您将承担 STS 中的角色。您可以通过 运行ning aws sts get-caller-identity.
你是对的,用户名错误,但这并没有解决整个问题。
花了很长时间,但我的队友终于找到了这个问题的解决方案in this guide
问题是 IAM 角色的 ARN:
rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx
这部分 aws-reserved/sso.amazonaws.com/ 需要从名称中删除。所以最后结合 Rico 建议的用户名修复:
---
apiVersion: v1
kind: ConfigMap
data:
mapRoles: |
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/eks-node-group
groups:
- system:bootstrappers
- system:nodes
username: system:node:{{EC2PrivateDNSName}}
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/AWSReservedSSO_Admin_xxxxxxxxxx
groups:
- system:masters
username: admin
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/AWSReservedSSO_Dev_xxxxxxxxxx
groups:
- system:masters
username: admin2
metadata:
name: aws-auth
namespace: kube-system
问题终于得到解决,担任该角色的 SSO 用户可以 运行 kubectl 命令!