属于 IAM 组的 AWS IAM 用户不能担任 IAM 组被允许担任的 IAM 角色?
AWS IAM user that belongs to an IAM group cannot assume IAM role that the IAM group was allowed to assume?
我希望这个主题有意义。
我正在尝试在我的 EKS 集群上设置 RBAC,并使用这个出色的演练作为指南,Kubernetes Authentication。
因此我创建了一个名为 EKSClusterAdminRole 的 IAM 角色,它具有 AmazonEKSClusterPolicy 托管策略,以允许该角色管理 EKS 集群。该角色具有这种信任关系
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
然后我创建了一个 EKSAdminGroup,它有一个可以承担该角色的内联策略,就像这样
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeOrganizationAccountRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::0123456789:role/EKSClusterAdminRole"
}
]
}
并且我将我现有的 jenkins 用户添加到该组,如下所示
$ aws iam get-group --group-name EKSAdminGroup
{
"Group": {
"Path": "/",
"CreateDate": "2021-02-27T18:31:34Z",
"GroupId": "QRSTUVWXYZ",
"Arn": "arn:aws:iam::0123456789:group/EKSAdminGroup",
"GroupName": "EKSAdminGroup"
},
"Users": [
{
"UserName": "jenkins",
"Path": "/",
"CreateDate": "2014-11-04T14:03:17Z",
"UserId": "ABCEDFGHIJKLMNOP",
"Arn": "arn:aws:iam::0123456789:user/jenkins"
}
]
}
这是我的 ClusterRole 和 ClusterRoleBinding 清单
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-admin-role
rules:
- apiGroups:
- ""
- "apps"
- "batch"
- "extensions"
resources:
- "configmaps"
- "cronjobs"
- "deployments"
- "events"
- "ingresses"
- "jobs"
- "pods"
- "pods/attach"
- "pods/exec"
- "pods/log"
- "pods/portforward"
- "secrets"
- "services"
verbs:
- "create"
- "delete"
- "describe"
- "get"
- "list"
- "patch"
- "update"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-admin-rolebinding
subjects:
- kind: Group
name: cluster-admins
roleRef:
kind: ClusterRole
name: cluster-admin-role
apiGroup: rbac.authorization.k8s.io
现在我在 ~/.aws/credentials 中具有上述 jenkins 用户凭据的计算机上。我想在那里执行 kubectl 命令。所以我
$ cat ~/.aws/credentials
[default]
aws_access_key_id = ABCEDFGHIJKLMNOP
aws_secret_access_key = *****
$ aws eks update-kubeconfig --name sandbox --region us-east-1 --role-arn arn:aws:iam::0123456789:role/EKSClusterAdminRole
Updated context arn:aws:eks:us-east-1:0123456789:cluster/sandbox in /home/ubuntu/.kube/config
$ kubectl config view
apiVersion: v1
kind: Config
...
users:
- name: arn:aws:eks:us-east-1:0123456789:cluster/sandbox
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- us-east-1
- eks
- get-token
- --cluster-name
- sandbox
- --role
- arn:aws:iam::0123456789:role/EKSClusterAdminRole
command: aws
env: null
provideClusterInfo: false
这是(部分)我的 EKS 集群的 aws-auth ConfigMap
apiVersion: v1
kind: ConfigMap
data:
mapRoles: |
- rolearn: arn:aws:iam::0123456789:role/EKSClusterAdminRole
username: cluster-admins
但我明白了,例如
$ kubectl get ns
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::0123456789:user/jenkins is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::0123456789:role/EKSClusterAdminRole
Unable to connect to the server: getting credentials: exec: executable aws failed with exit code 255
有什么优惠?似乎我在 Trouubleshooting IAM roles 中做了与我的问题相关的所有事情。
为了使这项工作至少在我的用户可以担任角色的地方进行,我必须将其添加到我的 IAM EKSClusterAdminRole 的信任关系中
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com",
"AWS": "arn:aws:iam::0123456789:root" <-- add this line
},
"Action": "sts:AssumeRole"
}
]
}
我希望这个主题有意义。
我正在尝试在我的 EKS 集群上设置 RBAC,并使用这个出色的演练作为指南,Kubernetes Authentication。
因此我创建了一个名为 EKSClusterAdminRole 的 IAM 角色,它具有 AmazonEKSClusterPolicy 托管策略,以允许该角色管理 EKS 集群。该角色具有这种信任关系
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
然后我创建了一个 EKSAdminGroup,它有一个可以承担该角色的内联策略,就像这样
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeOrganizationAccountRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::0123456789:role/EKSClusterAdminRole"
}
]
}
并且我将我现有的 jenkins 用户添加到该组,如下所示
$ aws iam get-group --group-name EKSAdminGroup
{
"Group": {
"Path": "/",
"CreateDate": "2021-02-27T18:31:34Z",
"GroupId": "QRSTUVWXYZ",
"Arn": "arn:aws:iam::0123456789:group/EKSAdminGroup",
"GroupName": "EKSAdminGroup"
},
"Users": [
{
"UserName": "jenkins",
"Path": "/",
"CreateDate": "2014-11-04T14:03:17Z",
"UserId": "ABCEDFGHIJKLMNOP",
"Arn": "arn:aws:iam::0123456789:user/jenkins"
}
]
}
这是我的 ClusterRole 和 ClusterRoleBinding 清单
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-admin-role
rules:
- apiGroups:
- ""
- "apps"
- "batch"
- "extensions"
resources:
- "configmaps"
- "cronjobs"
- "deployments"
- "events"
- "ingresses"
- "jobs"
- "pods"
- "pods/attach"
- "pods/exec"
- "pods/log"
- "pods/portforward"
- "secrets"
- "services"
verbs:
- "create"
- "delete"
- "describe"
- "get"
- "list"
- "patch"
- "update"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-admin-rolebinding
subjects:
- kind: Group
name: cluster-admins
roleRef:
kind: ClusterRole
name: cluster-admin-role
apiGroup: rbac.authorization.k8s.io
现在我在 ~/.aws/credentials 中具有上述 jenkins 用户凭据的计算机上。我想在那里执行 kubectl 命令。所以我
$ cat ~/.aws/credentials
[default]
aws_access_key_id = ABCEDFGHIJKLMNOP
aws_secret_access_key = *****
$ aws eks update-kubeconfig --name sandbox --region us-east-1 --role-arn arn:aws:iam::0123456789:role/EKSClusterAdminRole
Updated context arn:aws:eks:us-east-1:0123456789:cluster/sandbox in /home/ubuntu/.kube/config
$ kubectl config view
apiVersion: v1
kind: Config
...
users:
- name: arn:aws:eks:us-east-1:0123456789:cluster/sandbox
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- us-east-1
- eks
- get-token
- --cluster-name
- sandbox
- --role
- arn:aws:iam::0123456789:role/EKSClusterAdminRole
command: aws
env: null
provideClusterInfo: false
这是(部分)我的 EKS 集群的 aws-auth ConfigMap
apiVersion: v1
kind: ConfigMap
data:
mapRoles: |
- rolearn: arn:aws:iam::0123456789:role/EKSClusterAdminRole
username: cluster-admins
但我明白了,例如
$ kubectl get ns
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::0123456789:user/jenkins is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::0123456789:role/EKSClusterAdminRole
Unable to connect to the server: getting credentials: exec: executable aws failed with exit code 255
有什么优惠?似乎我在 Trouubleshooting IAM roles 中做了与我的问题相关的所有事情。
为了使这项工作至少在我的用户可以担任角色的地方进行,我必须将其添加到我的 IAM EKSClusterAdminRole 的信任关系中
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com",
"AWS": "arn:aws:iam::0123456789:root" <-- add this line
},
"Action": "sts:AssumeRole"
}
]
}