stackoom
  简体   繁体   中英

AWS Boto3 No Credential Error IAM role K8S

 原文  2020-12-21 14:07:39       python/ amazon-web-services/ kubernetes/ boto3/ amazon-iam

Question

I have a python script in our K8s cluster that is run as a k8s Cronjob every few minutes. The script checks the nodes in the cluster and if a node is unhealthy for more than 5 minutes, it terminates the node. To connect to AWS I use Boto3. requirement.txt

boto3==1.16.11
botocore==1.19.11

and the permissions are passed as pod annotations.

Annotations:  iam.amazonaws.com/role: arn:aws:iam::123456789:role/k8s-nodes-monitoring-role

The IAM role has arn:aws:iam::aws:policy/AmazonEC2FullAccess policy and a valid trust policy. 

{
   "Version": "2012-10-17",
   "Statement": [
{
  "Effect": "Allow",
  "Principal": {
    "Service": "ec2.amazonaws.com"
  },
  "Action": "sts:AssumeRole"
},
{
  "Sid": "",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::123456789:role/nodes.my-domain.com"
  },
  "Action": "sts:AssumeRole"
}
]
}

The problem that I facing is that on some occasions the script throws NoCredentialsError('Unable to locate credentials') error. This behaviour is not consistent as on most occasions the script has successfully terminates the unhealthy node and I can cross-check it against AWS CloudTrail events. I can see in kub2iam logs that the Get request receives 200 but the Put request receives 403.

ime="2020-12-21T12:50:16Z" level=info msg="GET /latest/meta-data/iam/security- 
credentials/k8s-nodes-monitoring-role (200) took 47918.000000 ns" req.method=GET 
req.path=/latest/meta-data/iam/security-credentials/k8s-nodes-monitoring-role 
req.remote=100.116.203.13 res.duration=47918 res.status=200
time="2020-12-21T12:52:16Z" level=info msg="PUT /latest/api/token (403) took 19352999.000000 
ns" req.method=PUT req.path=/latest/api/token req.remote=100.116.203.14 
res.duration=1.9352999e+07 res.status=40

Any help or idea about how to debug this will be highly appreciated.

1 answers

solution1
 1  2021-01-24 18:16:29

I dont know kube2iam in detail, but maybe you should switch to a AWS native way called IRSA (IAM Roles for Service Accounts). You can find all necessary information in this blog post: https://aws.amazon.com/de/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question boto3 s3 file upload using IAM role for authentication How to attach new role permissions to iam_role in aws using python boto3? AWS ECS - How to pass task's execution role to Boto3? Unauthorized operation error occurs when using Boto3 to launch an EC2 instance with an IAM role AWS assume role not working as expected with boto3 Access denied when assuming role as IAM user via boto3 Using boto3 to query AWS CloudTrail to determine which IAM user uploaded a file to S3? python boto3 attach/replace IAM role to ec2 RDS connectivity in Python using Boto3 and IAM Role Boto3 S3 list object throwing error in AWS lambda
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM