无权执行:资源上的 sts:AssumeRole
[英]Not authorized to perform: sts:AssumeRole on resource
问题描述
I'm trying to use kubectl to work on a EKS Cluster created from an other user.
我正在尝试使用 kubectl 处理从其他用户创建的 EKS 集群。 I followed the different instructions from the documentation to create the kube config file with the command: aws eks --region eu-central-1 update-kubeconfig --name internal --role-arn arn:aws:iam::xxxxxxxxxx:role/eks_role_internal .我按照文档中的不同说明使用以下命令创建 kube 配置文件: aws eks --region eu-central-1 update-kubeconfig --name internal --role-arn arn:aws:iam::xxxxxxxxxx:role/eks_role_internal 。
Then when i try to test the configuration ( kubectl get svc ), i'm getting the error:然后,当我尝试测试配置( kubectl get svc )时,出现错误:
could not get token: AccessDenied: User: arn:aws:iam::xxxxxxxxxxxx:user/me is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxxxxxxx:role/eks_role_internal
Here is the config for the Policy:这是策略的配置:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::xxxxxxxxxxx:role/eks_role_internal"
}
]
}
And the trust relationship of the role:以及角色的信任关系:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"eks.amazonaws.com",
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
1 个解决方案
解决方案1
0 2020-07-30 04:02:45
The first reason getting this error message is misconfigured Trusted relationship on a role that is going to be assumed.收到此错误消息的第一个原因是在将要承担的角色上配置错误的Trusted relationship 。
I also was seeing this error when the attached condition in the trusted relationship of having MFA wasn't met:当未满足具有 MFA 的受信任关系中的附加条件时,我也看到了此错误:
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}
AWS cli isn't smart enough to see this case and ask for the MFA code, it just throws that error message. AWS cli不够聪明,无法查看此案例并要求提供 MFA 代码,它只会抛出该错误消息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.