[英]AWS IAM Role not being assumed - EKS
我的設置如下:
iam user --> iam user group --> assume role group policy --> eks cluster role --> eks role bindings
所以,我有一個承擔角色的政策:
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
AWS = "arn:aws:iam::xxxxxxxxxxxxx:root"
}
},
]
然后我有一個用戶組,具有以下組策略:
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"sts:AssumeRole",
]
Sid = "AllowAssumeOrganizationAccountRole"
Effect = "Allow"
Resource = "arn:aws:iam::xxxxxxxxxxxx:role/ro-k8s-role"
},
]
然后,我對 EKS 具有以下集群角色:
rule {
api_groups = ["apps", "batch", "extensions"]
resources = ["pods", "deployments", "statefulsets", "events", "services", "pods/log", "pods/portforward"]
verbs = ["get", "list", "watch", "describe"]
}
然后是一組用於命名空間列表的角色綁定:
metadata {
name = "k8s-ro-${each.value}"
namespace = each.value
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "Role"
name = "k8s-ro"
}
subject {
kind = "User"
name = "k8s-user"
api_group = "rbac.authorization.k8s.io"
}
如果我然后使用組中用戶的個人資料,並檢查呼叫者身份......
{
"UserId": "XXXXXXXXXXXXXXXXXX",
"Account": "xxxxxxxxxxxxxxx",
"Arn": "arn:aws:iam::xxxxxxxxxxxxx:user/test-user"
}
我希望在這里看到承擔角色,對嗎? 這就解釋了為什么我看不到集群上運行的任何東西。
當最初的問題得到解決時,我將關閉它。 我沒有正確配置 AWS 配置文件來自動處理代入角色。 哪個已經解決了這個問題。
~/.aws/config
[profile test]
cli_pager =
role_arn = arn:aws:iam::xxxxxxxxxxxx:role/k8s-role
source_profile = test
region = eu-west-1
~/.aws/憑證
[test]
aws_access_key_id = XXXXXXXXXXXXXXXXXX
aws_secret_access_key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.