[英]How can I assign the same RBAC role to two different IAM roles to access a cluster in EKS?
I would like to give a certain team access to the system:masters
group in RBAC.我想授予某个团队访问
system:masters
组。 My team ( AWSReservedSSO_Admin_xxxxxxxxxx
in example below) already has it and it works when I only add that one rolearn
, but when I apply the configmap below with the additional rolearn
, users under the AWSReservedSSO_Dev_xxxxxxxxxx
role still get this error when trying to access the cluster: error: You must be logged in to the server (Unauthorized)
我的团队(下面示例中的
AWSReservedSSO_Admin_xxxxxxxxxx
)已经拥有它,并且当我只添加一个rolearn
时它可以工作,但是当我将下面的配置映射与额外的rolearn
一起应用时, AWSReservedSSO_Dev_xxxxxxxxxx
角色下的用户在尝试访问集群时仍然会收到此错误: error: You must be logged in to the server (Unauthorized)
(note: we are using AWS SSO, so the IAM roles are assumed): (注意:我们使用的是 AWS SSO,因此假定了 IAM 角色):
---
apiVersion: v1
kind: ConfigMap
data:
mapRoles: |
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/eks-node-group
groups:
- system:bootstrappers
- system:nodes
username: system:node:{{EC2PrivateDNSName}}
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Admin_xxxxxxxxxx
groups:
- system:masters
username: admin
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx
groups:
- system:masters
username: admin
metadata:
name: aws-auth
namespace: kube-system
I'm not sure how you are assuming the roles ❓ and your configuration looks fine, but the reason could be that you are mapping the same user to two different roles.我不确定您是如何承担角色 ❓ 并且您的配置看起来不错,但原因可能是您将同一个用户映射到两个不同的角色。 AWS IAM only allows a user to assume only one role at a time, basically, as an AWS IAM user, you can't assume multiple IAM roles at the same time .
AWS IAM 只允许用户一次只承担一个角色, 基本上,作为 AWS IAM 用户,您不能同时承担多个 IAM 角色。
You can try with different users and see it works for you.您可以尝试使用不同的用户,看看它是否适合您。
---
apiVersion: v1
kind: ConfigMap
data:
mapRoles: |
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/eks-node-group
groups:
- system:bootstrappers
- system:nodes
username: system:node:{{EC2PrivateDNSName}}
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Admin_xxxxxxxxxx
groups:
- system:masters
username: admin
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx
groups:
- system:masters
username: admin2
metadata:
name: aws-auth
namespace: kube-system
The other aspect that you may be missing is the 'Trust Relationship' in your arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx
role that allows admin
to assume the role.您可能缺少的另一个方面是您的
arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx
角色中的“信任关系”,该角色允许admin
担任该角色。
✌️☮️ ✌️☮️
Thanks Rico.谢谢里科。 When you sign in with SSO, you are assuming a role in STS.
当您使用 SSO 登录时,您将承担 STS 中的角色。 You can verify this by running
aws sts get-caller-identity
.您可以通过运行
aws sts get-caller-identity
来验证这一点。
You werew right that that the username wrong but it didn't solve the whole issue.您认为用户名错误是对的,但它并没有解决整个问题。
Took a long time but my teammate finally found the solution for this in this guide花了很长时间,但我的队友终于在本指南中找到了解决方案
The problem was the ARN for the IAM Role:问题是 IAM 角色的 ARN:
rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx
This part aws-reserved/sso.amazonaws.com/
needs to be removed from the name.这部分
aws-reserved/sso.amazonaws.com/
需要从名称中删除。 So in the end combined with Rico's suggested username fix:所以最后结合 Rico 建议的用户名修复:
---
apiVersion: v1
kind: ConfigMap
data:
mapRoles: |
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/eks-node-group
groups:
- system:bootstrappers
- system:nodes
username: system:node:{{EC2PrivateDNSName}}
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/AWSReservedSSO_Admin_xxxxxxxxxx
groups:
- system:masters
username: admin
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/AWSReservedSSO_Dev_xxxxxxxxxx
groups:
- system:masters
username: admin2
metadata:
name: aws-auth
namespace: kube-system
The issue is finally fixed, and SSO users assuming the role can run kubectl
commands!问题终于解决了,承担该角色的 SSO 用户可以运行
kubectl
命令!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.