我们运行的EKS集群是通过以编程方式构造的Cloudformation模板构建的。当前,工作程序模板接近https://github.com/awslabs/amazon-eks-ami/blob/master/amazon-eks-nodegroup.yaml,但是我们的Resources.NodeInstanceRole.ManagedPolicyArns还有一些其他用户制定的策略。
我们不想将托管策略添加到此列表中,而是要创建一个带有附加策略的IAM角色,然后让EKS工人担任此角色。问题在于,我们无法在Cloudformation模板中找到实现此目的的方法。
我认为模板的相关部分如下:
NodeInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- !Ref NodeInstanceRole
NodeInstanceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: sts:AssumeRole
Path: "/"
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
- arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
- arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
我想不用构造一个新的IAM :: Role(NodeInstanceRole),而是想象应该有一种方法可以在NodeInstanceProfile中引用现有角色的ARN。尝试以以下方式更改NodeInstanceProfile会导致以下错误:
NodeInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- "arn:aws:iam::xxx:role/yyy"
The specified value for roleName is invalid. It must contain only alphanumeric characters and/or the following: +=,.@_- (Service: AmazonIdentityManagement; Status Code: 400; Error Code: ValidationError; Request ID: xxx)
答案 0 :(得分:1)
事实证明,解决方案非常简单:NodeInstanceProfile需要角色名称而不是ARN。因此,在Cloudformation模板的最终版本中,我所引用的代码块减少为:
NodeInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- yyy