[英]Accessing EKS using kubectl from an EC2 instance using a IAM role
我正在尝试在附加了 IAM 角色但没有凭证附加到 AWS cli 的 EC2 实例中配置 kubectl。 我已经编辑了 kubectl 的配置映射并添加了以下规则以包含假定的角色。
- rolearn: arn:aws:sts::<account-id>:assumed-role/EC2WorkstationRole/<ec2-instanceid>
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:masters
I get the below error on running kubectl get pods:
An error occurred (AccessDenied) when calling the AssumeRole operation: User:
arn:aws:sts::<account-id>:assumed-role/EC2WorkstationRole/<ec2-instanceid> is not
authorized to perform: sts:AssumeRole on resource:
arn:aws:sts::<account-id>:assumed-role/EC2WorkstationRole/<ec2-instanceid>
我相信您只需要修复 aws-auth configmap,以便它允许 IAM 角色本质上是管理员,它应该如下所示:
- rolearn: arn:aws:iam::${accountid}:role/EC2WorkstationRole
username: EC2WorkstationRole
groups:
- system:masters
此外,请确保附加到您的 IAM 角色的信任策略具有 sts:AssumeRole 权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "ec2.amazonaws.com"},
"Action": "sts:AssumeRole"
}
]
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.