我正在尝试使用以下命令通过 aws cli 创建 eks 集群:
aws eks create-cluster --name ekCsluster --role-arn arn:aws:iam::111111111111:role/eksServiceRole --resources-vpc-config subnetIds=subnet-1,subnet-2,subnet-3,subnet-4,subnet-5,subnet-6,securityGroupIds=sg-1
并出现以下错误:
An error occurred (AccessDeniedException) when calling the CreateCluster operation: User: arn:aws:iam::111111111111:user/userName is not authorized to perform: iam:PassRole on resource: arn:aws:iam::111111111111:role/eksServiceRole
但是,我已经创建了一个权限策略,AssumeEksServiceRole并将其直接附加到用户arn:aws:iam::111111111111:user/userName:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole"
],
"Resource": "arn:aws:iam::111111111111:role/eksServiceRole"
}
]
}
在eksServiceRole角色中,我定义了信任关系如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:user/userName"
},
"Action": "sts:AssumeRole"
}
]
}
我遗漏了什么?我该如何调试此错误消息?感谢您提供的所有帮助。
答案1
我会尝试将用户从信任关系中删除(反正这也没必要)。当信任关系中混合使用账户和服务作为主体时,AWS 服务无法很好地发挥作用,例如,如果您尝试使用 CodeBuild 执行此操作,它会抱怨说它不拥有主体。
答案2
对于您来说,您只需使用:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole"
],
"Resource": "arn:aws:iam::111111111111:role/eksServiceRole"
}
]
}
我用的是这个:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CustomEditor",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole"
],
"Resource": "*"
}
]
}
eksServiceRole您无需输入该角色。