无法使用”假定角色”来访问由”假定角色 API”创建的 AWS EKS。

huangapple go评论72阅读模式
英文:

Can't use assume role to accesss aws eks which is created by assume role api

问题

我使用假定角色 API 创建了一个 AWS EKS 集群。角色 A 假定角色 B 来执行创建 EKS API。我创建了 EKS 并指定了 EKS 集群角色为角色 C。据我所知,角色 C 的 ARN 将存储在 EKS 的 aws-auth 配置映射中。

当 A 假定角色 C 来访问已创建的 EKS 时,“无权获取命名空间:未经授权”被返回。

我总是使用假定角色来调用 API。是否有人知道,aws-auth 是否像 'arn:aws:iam::C:role/k8s-cluster-role' 这样存储角色 C 的 ARN,还是 EKS 以另一种方式将角色 ARN 存储在 aws-auth 中。

英文:

I created a aws eks using assume role api. Role A assume role B to performe create EKS api. I create the eks and specify that the EKS's cluster role is role C. As I know,the role C's arn will be stored in eks aws-auth configMap.

When A assume role C to access the created EKS, "Failed to get namespaces: Unauthorized" returned.

I always use assume role to invoke API. Does anyone know, whether aws-auth store role C's arn like 'arn:aws:iam::C:role/k8s-cluster-role' or eks store the role arn in aws-auth in another way.

答案1

得分: 2

你有一些误解;在您的集群中,存储在 aws-auth 配置映射中的 system:masters 组 中的角色不是集群角色,而是创建集群本身的 IAM 主体,根据官方文档

> 当您创建一个Amazon EKS集群时,创建集群的IAM主体会自动在Amazon EKS控制平面中的集群基于角色的访问控制(RBAC)配置中被授予system:masters权限。

根据您所写的内容,如果顺序正确,并且您正在按照所采取的角色假定方法正常工作,您应该能够使用角色 b 而不是角色 c 查询您的集群API资源,因为您用角色 b 创建了集群。在您当前的设置中,您期望角色 C 能够访问集群资源,尽管您是用角色 b 创建的。

英文:

You have some misconception; The role that is stored in aws-auth configmap for system:masters group in your cluster is not the cluster role, but the iam principal that creates the cluster itself, as per official doc.

> When you create an Amazon EKS cluster, the IAM principal that creates the cluster is automatically granted system:masters permissions in the cluster's role-based access control (RBAC) configuration in the Amazon EKS control plane.

From what you have written, if the sequence is right, and that assume-role approach you are following works properly, you should be able to query your cluster api resources with role-b not role-c, since b is the one you used to create the cluster. In your current setup, you are expecting role C to be able to access cluster resources, though you created with role b.

huangapple
  • 本文由 发表于 2023年6月1日 19:25:37
  • 转载请务必保留本文链接:https://go.coder-hub.com/76381366.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定