AWS IAM Authenticator无法获得令牌访问被拒绝

时间:2018-12-13 23:33:45

标签: amazon-web-services kubernetes amazon-iam

我正在尝试为我的k8s集群设置AWS IAM Authenticator。我有两个AWS帐户:A和B。

k8s帐户在B帐户中运行。

我已经在A帐户中创建了以下资源:

政策

Description: Grants permissions to assume the kubernetes-admin role
Policy:
  Statement:
    - Action: sts:*
      Effect: Allow
      Resource: arn:aws:iam::<AccountID-B>:role/kubernetes-admin
      Sid: KubernetesAdmin
  Version: 2012-10-17

该策略与组相关联,我将IAM用户添加到该组中。

在B帐户中,我创建了以下角色:

AssumeRolePolicyDocument:
  Statement:
    - Action: sts:AssumeRole
      Effect: Allow
      Principal:
        AWS: arn:aws:iam::<AccountID-A>:root
  Version: 2012-10-17

这是ConfigMap,用于配置aws-iam-authenticator:

apiVersion: v1
data:
  config.yaml: |
    # a unique-per-cluster identifier to prevent replay attacks
    # (good choices are a random token or a domain name that will be unique to your cluster)
    clusterID: k8s.mycluster.net
    server:
      # each mapRoles entry maps an IAM role to a username and set of groups
      # Each username and group can optionally contain template parameters:
      # "{{AccountID}}" is the 12 digit AWS ID.
      # "{{SessionName}}" is the role session name.
      mapRoles:
      - roleARN: arn:aws:iam::<AccountID-B>:role/kubernetes-admin
        username: kubernetes-admin:{{AccountID}}:{{SessionName}}
        groups:
        - system:masters
kind: ConfigMap
metadata:
  creationTimestamp: 2018-12-13T19:41:39Z
  labels:
    k8s-app: aws-iam-authenticator
  name: aws-iam-authenticator
  namespace: kube-system
  resourceVersion: "87401"
  selfLink: /api/v1/namespaces/kube-system/configmaps/aws-iam-authenticator
  uid: 1bc39653-ff0f-11e8-a580-02b4590539ba

kubeconfig是:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: <certificate>
    server: https://api.k8s.mycluster.net
  name: k8s.mycluster.net
contexts:
- context:
    cluster: k8s.mycluster.net
    namespace: kube-system
    user: k8s.mycluster.net
  name: k8s.mycluster.net
current-context: k8s.mycluster.net
kind: Config
preferences: {}
users:
- name: k8s.mycluster.net
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      command: aws-iam-authenticator
      env:
      - name: "AWS_PROFILE"
        value: "myaccount"
      args:
        - "token"
        - "-i"
        - "k8s.mycluster.net"
        - "-r"
        - "arn:aws:iam::<AccountID-B>:role/kubernetes-admin"

结果是:

could not get token: AccessDenied: Access denied
    status code: 403, request id: 6ceac161-ff2f-11e8-b263-2b0e32831969
Unable to connect to the server: getting token: exec: exit status 1

有什么主意吗?我不明白我所缺少的。

2 个答案:

答案 0 :(得分:2)

为此添加-我的解决方案是执行以下操作:

在〜/ .kube目录中:

aws eks update-kubeconfig --name eks-dev-cluster --role-arn=XXXXXXXXXXXX

这将创建一个文件config-my-eks-cluster

vi config-my-eks-cluster

注释上述两行:

  apiVersion: client.authentication.k8s.io/v1alpha1
  args:
  - token
  - -i
  - eks-dev-cluster
  #- -r
  #- arn:aws:iam::XXXXXXXXX:role/eks-dev-role (the role you made for eks)
  command: aws-iam-authenticator

然后确保您使用以下方式导出用户个人资料:

export AWS_PROFILE = XXXXXXXXX(您用于在控制台或cli中创建集群的用户)

运行:

kubectl get svc --v=10

这将使输出进入详细模式,并为您提供有关爬升的任何错误的详细信息。

答案 1 :(得分:1)

使其正常工作的方法是删除

- "-r"
- "arn:aws:iam::<AccountID-B>:role/kubernetes-admin" 

并将要承担的角色传递给AWS_PROFILE env var