无法在 Spinnaker 上设置 AWS 账户

Question

I followed following steps to add and configure AWS account in Spinnaker:

1. hal config provider aws account add my-aws-acc --account-id xxxxxxxxxxxx --assume-role SpinnakerManaged

2. hal config provider aws enable

AWS Account Setup

SpinnakerManaged Role is having following policies attached:

pass_role_policy

{

"Version": "2012-10-17",

"Statement": [

    {


        "Effect": "Allow",

        "Action": [

            "ec2:*"

        ],

        "Resource": "*"

    },

    {

        "Effect": "Allow",

        "Action": "iam:PassRole",

        "Resource": "*"

    }

]

}

Power User Access

Server on which spinnaker is hosted is attached SpinnakerAuth Role which has following policies:

1. PowerUser Access

2. Pass_role_policy

3. assume_role_policy

   {

   "Version": "2012-10-17",

   "Statement": [

    { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "*" }

   ] }

command: hal deploy apply

Spinnaker gets successfully deployed while clouddriver service with port 7002 doesn't come up

Error in /var/log/spinnaker/cloudriver/clouddriver.log file: Caused by: com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: Not authorized to perform sts:AssumeRole (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied;

Answer 1

This is related to the trust relationship in the AWS IAM configuration. The deployment of AWS IAM permissions for the cases described below has been improved in the spinnaker.io documentation .

1. Use a Managing AWS User with AWS Key and Secret with the policy that allows to assume the ManagedTargetRole
2. Use a Managing Role with the policy that allows to assume the ManagedTargetRole

Please refer to this option and deploy again.

In my case the local debian installation in Spinnaker never worked for me. I was successfully able to deploy Spinnaker by using the project Minnaker for PoC.