堆栈内存溢出
  简体   繁体   English

EKS 无法使用 Kubectl 向 Kubernetes 进行身份验证 - “用户:无权执行:sts:AssumeRole”

[英]EKS not able to authenticate to Kubernetes with Kubectl - “User: is not authorized to perform: sts:AssumeRole”

 原文  2019-10-17 14:58:09       amazon-web-services/ kubernetes/ amazon-eks

问题描述

I've initially run aws --region eu-west-1 eks update-kubeconfig --name prod-1234 --role-arn arn:aws:iam::1234:user/chris-devops to get access to the EKS cluster.我最初运行aws --region eu-west-1 eks update-kubeconfig --name prod-1234 --role-arn arn:aws:iam::1234:user/chris-devops以访问 EKS 集群.

When doing anything like: kubectl get... I get an error of:执行以下操作时: kubectl get...我收到以下错误:

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::1234:user/chris-devops is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::1234:user/chris-devops调用 AssumeRole 操作时发生错误 (AccessDenied):用户:arn:aws:iam::1234:user/chris-devops 无权执行:sts:AssumeRole on resource:arn:aws:iam::1234:user /克里斯-德沃普斯

Why do I get this error?为什么我会收到此错误? How do I gain access?我如何获得访问权限?

I've added the following to the user:我已向用户添加以下内容:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": "arn:aws:iam::1234:user/chris-devops"
        }
    ]
}

In addition I also have full Administrator access:此外,我还拥有完整的管理员访问权限:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

I've read through: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_cant-assume-role我已通读: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_cant-assume-role

And my understanding is I'm meeting all the criteria.我的理解是我符合所有标准。

2 个解决方案

解决方案1
 0  2019-10-17 18:10:21

aws eks --region eu-west-1 update-kubeconfig --name prod-eks-3flXvI2r --role-arn http://arn:aws:iam::1234:role/prod-eks-1234-admins

I had to specify the correct role... Woohooo我必须指定正确的角色......哇哦

解决方案2
 0  2019-10-18 08:57:48

Your policy is wrong.你的政策是错误的。 User can't assume another IAM user.用户不能假设另一个 IAM 用户。 It should be something like this:它应该是这样的:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "sts:AssumeRole"
        ],
        "Resource": "arn:aws:iam::1234:role/prod-Eks-1234-admins"
    }
]
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 AWS AssumeRole - 用户无权对资源执行:sts:AssumeRole - AWS AssumeRole - User is not authorized to perform: sts:AssumeRole on resource 无权执行:资源上的 sts:AssumeRole - Not authorized to perform: sts:AssumeRole on resource AWS Boto3-用户无权在资源上执行sts :: AssumeRole吗? - AWS Boto3 - User is not authorized to perform sts::AssumeRole on resource? AWSSecurityTokenServiceException:加入被拒绝。 用户无权执行 sts:AssumeRole - AWSSecurityTokenServiceException: Acced denied. User is not authorized to perform sts:AssumeRole AWS,GitHub 操作:用户无权执行:sts:AssumeRole on resource (CodePipeline) - AWS, GitHub Action: User is not authorized to perform: sts:AssumeRole on resource(CodePipeline) Lambda function 无权执行 sts:AssumeRole - Lambda function is not authorized to perform sts:AssumeRole AWS cli:无权执行:sts:AssumeRole 对资源 - AWS cli: not authorized to perform: sts:AssumeRole on resource AWS Amplify - CognitoIdentityCredentials 无权执行:sts:AssumeRole on resource - AWS Amplify - CognitoIdentityCredentials is not authorized to perform: sts:AssumeRole on resource CodeBuild 无权执行: sts:AssumeRole on arn:aws:iam/ … InvalidInputException; 为什么? - CodeBuild is not authorized to perform: sts:AssumeRole on arn:aws:iam/ … InvalidInputException; why? 用户:arn:aws:sts::{account_id}:assumed-role/* 无权执行:sts:AssumeRole on resource:arn:aws:iam::{account_id}:role/* - User: arn:aws:sts::{account_id}:assumed-role/* is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::{account_id}:role/*
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM