未担任 AWS IAM 角色 - EKS

Question

我的设置如下：

iam user --> iam user group --> assume role group policy --> eks cluster role --> eks role bindings

所以，我有一个承担角色的政策：

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Sid    = ""
        Principal = {
          AWS = "arn:aws:iam::xxxxxxxxxxxxx:root"
        }
      },
    ]

然后我有一个用户组，具有以下组策略：

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "sts:AssumeRole",
        ]
        Sid = "AllowAssumeOrganizationAccountRole"
        Effect   = "Allow"
        Resource = "arn:aws:iam::xxxxxxxxxxxx:role/ro-k8s-role"
      },
    ]

然后，我对 EKS 具有以下集群角色：

  rule {
    api_groups     = ["apps", "batch", "extensions"]
    resources      = ["pods", "deployments", "statefulsets", "events", "services", "pods/log", "pods/portforward"]
    verbs          = ["get", "list", "watch", "describe"]
  }

然后是一组用于命名空间列表的角色绑定：

  metadata {
    name      = "k8s-ro-${each.value}"
    namespace = each.value
  }
  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "Role"
    name      = "k8s-ro"
  }
  subject {
    kind      = "User"
    name      = "k8s-user"
    api_group = "rbac.authorization.k8s.io"
  }

如果我然后使用组中用户的个人资料，并检查呼叫者身份......

{
    "UserId": "XXXXXXXXXXXXXXXXXX",
    "Account": "xxxxxxxxxxxxxxx",
    "Arn": "arn:aws:iam::xxxxxxxxxxxxx:user/test-user"
}

我希望在这里看到承担角色，对吗？ 这就解释了为什么我看不到集群上运行的任何东西。

Answer 1

当最初的问题得到解决时，我将关闭它。 我没有正确配置 AWS 配置文件来自动处理代入角色。 哪个已经解决了这个问题。

~/.aws/config

[profile test]
cli_pager =
role_arn = arn:aws:iam::xxxxxxxxxxxx:role/k8s-role
source_profile = test
region = eu-west-1

~/.aws/凭证

[test]
aws_access_key_id = XXXXXXXXXXXXXXXXXX
aws_secret_access_key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx