Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

EKS not able to authenticate to Kubernetes with Kubectl - "User: is not authorized to perform: sts:AssumeRole"

Tags:

amazon-web-services

kubernetes

amazon-eks

I've initially run aws --region eu-west-1 eks update-kubeconfig --name prod-1234 --role-arn arn:aws:iam::1234:user/chris-devops to get access to the EKS cluster.

When doing anything like: kubectl get ... I get an error of:

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::1234:user/chris-devops is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::1234:user/chris-devops

Why do I get this error? How do I gain access?

I've added the following to the user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": "arn:aws:iam::1234:user/chris-devops"
        }
    ]
}

In addition I also have full Administrator access:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

I've read through: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_cant-assume-role

And my understanding is I'm meeting all the criteria.

like image 465
Chris Stryczynski Avatar asked Oct 17 '19 14:10

Chris Stryczynski

People also ask

Can I use Kubectl with EKS?

Short description. After you create your Amazon EKS cluster, you must configure your kubeconfig file with the AWS Command Line Interface (AWS CLI). This configuration allows you to connect to your cluster using the kubectl command line.

Which AWS service should integrate with EKS for authentication?

Amazon EKS uses IAM to provide authentication to your Kubernetes cluster through the AWS IAM authenticator for Kubernetes .

What is IAM authenticator for EKS?

Amazon EKS uses IAM to provide authentication to the cluster through the AWS IAM Authenticator for Kubernetes. AWS IAM Authenticator is a component located inside your Kubernetes cluster's control plane that enables authentication using AWS IAM identities such as users and roles.

2 Answers

Your policy is wrong. User can’t assume another IAM user. It should be something like this:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "sts:AssumeRole"
        ],
        "Resource": "arn:aws:iam::1234:role/prod-Eks-1234-admins"
    }
]
}
like image 104
marcincuber Avatar answered Sep 17 '22 12:09

marcincuber

 
aws eks --region eu-west-1 update-kubeconfig --name prod-eks-3flXvI2r --role-arn http://arn:aws:iam::1234:role/prod-eks-1234-admins

I had to specify the correct role... Woohooo

like image 44
Chris Stryczynski Avatar answered Sep 16 '22 12:09

Chris Stryczynski
Sign in to Comment

Related questions

Amazon Cognito set identityId using developer authentication Obj C
Checking size of SQS message batches
Can/will AWS API Gateway -> Lambda performance be improved?
Given an AWS Access / Secret Key Pair, how do I retrieve its IAM permissions?
AWS API Gateway RestAPI CloudFormation update does not update Deployment resource
Will Route53 private hosted zone work over AWS VPC Peering in two account
SAML IdP - AWS Cognito/IAM as an Identity Provider
Android image upload AWS Server
Assume Role with Spring Cloud AWS Autoconfiguration
Calling from one intent to another intent in AWS LEX
git version control lambda functions
best architecture to deploy TCP/IP and UDP service on amazon AWS (Without EC2 instances)
Write csv file and save it into S3 using AWS Lambda (python)
For AWS Cognito Built-In login, where does "legal text" appear?
Cognito UnknownError after turn on device registration
AWS CLI : Could not connect to the endpoint URL : "https://sts.amazonaws.com/"
Move IIS Logs to AWS s3 bucket
Send Cloudwatch logs matching a pattern to SQS queue
Connecting to DocumentDB using SSL with the MongoDB C# driver
How to use federated Auth using aws-amplify API without hosted UI?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!