我正在尝试做:
[ec2-user@xxxxxxxxx x]$ aws eks update-kubeconfig --name prod-eks-v2 --role-arn arn:aws:iam::9xxxxxxxxxxeks-v2-cluster-ServiceRole-xxxxxxxxxx
An error occurred (AccessDeniedException) when calling the DescribeCluster operation: User: arn:aws:iam::xxxxxxxxxxx:user/ecr is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:eu-west-1:xxxxxxxxxxxxxxx:cluster/prod-eks-v2
这是为了额外的我已添加的用户。我已aws-auth
通过添加以下内容将它们添加到 configmap 中:
mapUsers: |
- userarn: arn:aws:iam::xxxxxxxxxxxx:user/xxxxxxxxx
username: admin
groups:
- system:masters
尝试手动承担该角色:
aws sts assume-role --role-arn arn:aws:iam::xxxxxxxx:role/eksctl-prod-eks-v2-cluster-ServiceRole-xxxx --role-session-name test-eks-role
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::xxxxxxxxxx:user/ecr is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxxx:role/eksctl-prod-eks-v2-cluster-ServiceRole-xxxxxxxxxxxxxx
这是 cluster-ServiceRole 的信任关系 json...:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
我该如何解决这个问题?我按照以下文档进行操作https://aws.amazon.com/premiumsupport/knowledge-center/amazon-eks-cluster-access/
更新:
我修改了信任关系,现在如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com",
"AWS": "arn:aws:iam::xxxxxxx:user/xxxxxx"
},
"Action": "sts:AssumeRole"
}
]
}
并且可以成功做到:
aws sts assume-role --role-arn arn:aws:iam::xxxxxxxxxx:role/eksctl-prod-eks-v2-cluster-ServiceRole-OCH0HY9R9WGS --role-session-name test-eks-role
但我...is not authorized to perform: eks:DescribeCluster on resourc...
在做的时候仍然会遇到aws eks update-kubeconfig --name prod-eks-v2
。
更新 2:
我将用户添加到AmazonEKSWorkerNodePolicy
角色中,现在我可以使用 ... 成功生成配置,aws eks update-kubeconfig
但是当我error: You must be logged in to the server (Unauthorized)
通过kubectl
...尝试任何操作时,会出现一个错误。
kubeconfig 文件的底部如下所示:
users:
- name: arn:aws:eks:eu-west-1:xxxxxxxxxxxx:cluster/prod-eks-v2
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- token
- -i
- prod-eks-v2
- -r
- arn:aws:iam::xxxxxx:role/eksctl-prod-eks-v2-cluster-ServiceRole-xxxxxxxxxx
command: aws-iam-authenticator
更新 3:
非常困惑...我可以手动生成令牌并使用以下命令进行验证:
aws-iam-authenticator token -i prod-eks-v2 -r...
aws-iam-authenticator verify -t ...
但正如提到过做任何与kubectl
表演有关的事情error: You must be logged in to the server (Unauthorized)
……
正在做kubectl get pods -v=10
:显示:
...
I1115 12:36:42.163298 10509 request.go:942] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
...