如何为两个不同的IAM角色分配相同的RBAC角色,以访问EKS中的群集?

时间:2020-07-23 20:06:27

标签: kubernetes yaml amazon-iam rbac amazon-eks

我想授予某个团队访问RBAC中的system:masters组的权限。我的团队(下面的示例中的AWSReservedSSO_Admin_xxxxxxxxxx)已经有了它,并且当我仅添加一个rolearn时它可以工作,但是当我将下面的configmap与其他rolearn一起应用时,{尝试访问群集时,{1}}角色仍然收到此错误:AWSReservedSSO_Dev_xxxxxxxxxx

(注意:我们使用的是AWS SSO,因此假定使用IAM角色):

error: You must be logged in to the server (Unauthorized)

2 个答案:

答案 0 :(得分:2)

我不确定您如何假设角色❓,并且您的配置看起来还不错,但是原因可能是您将同一用户映射到两个不同的角色。 AWS IAM仅允许用户一次basically, as an AWS IAM user, you can't assume multiple IAM roles at the same time仅承担一个角色。

您可以尝试其他用户,然后查看它是否适合您。

---
apiVersion: v1
kind: ConfigMap
data:
  mapRoles: |
    - rolearn: arn:aws:iam::xxxxxxxxxxx:role/eks-node-group
      groups:
      - system:bootstrappers
      - system:nodes
      username: system:node:{{EC2PrivateDNSName}}
    - rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Admin_xxxxxxxxxx
      groups:
      - system:masters
      username: admin
    - rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx
      groups:
        - system:masters
      username: admin2
metadata:
  name: aws-auth
  namespace: kube-system

您可能缺少的另一个方面是您的arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx角色中的“信任关系” {,该角色允许admin担任该角色。

image1

✌️☮️

答案 1 :(得分:1)

感谢Rico。使用SSO登录时,您将扮演STS角色。您可以通过运行aws sts get-caller-identity进行验证。

您肯定用户名错误,但这并不能解决整个问题。

花了很长时间,但我的队友终于找到了解决方法in this guide

问题是IAM角色的ARN:

rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx

这部分aws-reserved/sso.amazonaws.com/需要从名称中删除。因此,最后结合了Rico建议的用户名修复:

---
apiVersion: v1
kind: ConfigMap
data:
  mapRoles: |
    - rolearn: arn:aws:iam::xxxxxxxxxxx:role/eks-node-group
      groups:
      - system:bootstrappers
      - system:nodes
      username: system:node:{{EC2PrivateDNSName}}
    - rolearn: arn:aws:iam::xxxxxxxxxxx:role/AWSReservedSSO_Admin_xxxxxxxxxx
      groups:
      - system:masters
      username: admin
    - rolearn: arn:aws:iam::xxxxxxxxxxx:role/AWSReservedSSO_Dev_xxxxxxxxxx
      groups:
        - system:masters
      username: admin2
metadata:
  name: aws-auth
  namespace: kube-system

问题最终得到解决,承担该角色的SSO用户可以运行kubectl命令!

相关问题
最新问题