EKS AssumeRole操作:未经授权执行:资源角色/ eksClusterRole上的sts:AssumeRole

时间:2020-06-07 15:44:06

标签: amazon-web-services eks

我尝试根据AWS文档创建eks集群 我创建了VPS和集群
https://docs.aws.amazon.com/eks/latest/userguide/getting-started-console.html 我创建了具有所有权限的用户joni。
我创建了名为eksClusterRole的规则,其中包含所有与问题相关的政策
在“测试您的配置”部分2 运行时:

kubectl get svc

我得到了:

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::444:user/joni is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::444:role/eksClusterRole

在执行以确保我使用的是joni用户时:

aws sts get-caller-identity

结果是:

{
    "UserId": "AIDA2J4I66QDJGWIZIMXC",
    "Account": "708419974150",
    "Arn": "arn:aws:iam::444:user/joni"
}

好的,我正在阅读google中的文档和链接
https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/ 在这里:
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#best-practice-managed-vs-inline 并且我向joni用户添加了内联策略:(允许所有sts)

looks like this :
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*",
                "sts:*",
                "iam:ListRoles"
            ],
            "Resource": "*"
        }
    ]
}

和配置.kube / config yml文件:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0txxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxMdEE2amRzU1BLTStnK005NW81dm1mV0pNNkJZaStGMDhOTHBrUQp5ZHd4MVpUVE9jaDIyaGNRMytCb0Fwb2VFTlNZazRkSGtpT2dCNlg3VUEzSlJpUWFUbElBbE1aRXdwZz0KLSxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
    server: https://xxxxxx.gr7.us-east-1.eks.amazonaws.com
  name: arn:aws:eks:us-east-1:xxxxxx:cluster/eks-master
contexts:
- context:
    cluster: arn:aws:eks:us-east-1:444:cluster/eks-master
    user: arn:aws:eks:us-east-1:444:cluster/eks-master
  name: arn:aws:eks:us-east-1:444:cluster/eks-master
current-context: arn:aws:eks:us-east-1:444:cluster/eks-master
kind: Config
preferences: {}
users:
- name: arn:aws:eks:us-east-1:444:cluster/eks-master
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --region
      - us-east-1
      - eks
      - get-token
      - --cluster-name
      - eks-master
      - --role
      - arn:aws:iam::444:role/eksClusterRole
      command: aws

我想念什么?

0 个答案:

没有答案
相关问题
最新问题