得到错误“调用AssumeRole操作时发生错误(AccessDenied):访问被拒绝".设置EKS集群后 [英] Getting error "An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied" after setting up EKS cluster
问题描述
我已经使用AWS控制台创建了EKS集群,而在创建集群时,我使用了预先创建的VPC和子网,同时创建了一个角色eks-role,并为其附加了AmazonEKSClusterPolicy和AmazonEKSServicePolicy.
I have created the EKS cluster using AWS console, while creating a cluster I used my pre-created VPCs and subnets, I have created one role eks-role which has AmazonEKSClusterPolicy and AmazonEKSServicePolicy attached to it.
我使用以下方法添加了kubeconfig文件:
I have added the kubeconfig file using:
aws eks update-kubeconfig --name eks-cluster --role-arn "arn:aws:iam::############:role/eks-role"
当我使用kubectl get svc命令时,我得到的错误为:
When I use kubectl get svc command I get the error as:
调用AssumeRole操作时发生错误(AccessDenied):访问被拒绝
An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied
我不知道这可能是什么问题.
I don't know what might be wrong with this.
在我的用户中,我添加了以下策略:
In My user, I have added a policy as:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::############:role/eks-role"
}
]
}
在这个角色中,我添加了信任关系:
And In the role I have added the trust relationship:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::############:user/test"
},
"Action": "sts:AssumeRole"
}
]
}
我的~/.aws/credentials文件如下所示:
My ~/.aws/credentials file looks like this:
**[default]**
aws_access_key_id = ##############
aws_secret_access_key = #############################
region=us-west-1
**[test]**
aws_access_key_id = ###########
aws_secret_access_key = #############################
region=ap-southeast-1
**[eks]**
role_arn = arn:aws:iam::##########:role/eks-role
source_profile = test
推荐答案
我确定问题已解决,但我将在此处提供更多信息,因此,如果还有其他人仍在面对问题,那么他们可能不会像我和我一样浪费时间.使用步骤.
I am sure issue is resolved but I will be putting more information here so if any other people are still facing the issue then they might not waste time like me and use the steps.
当我们通过CloudFormation/CLI/EKSCTL通过任何方法创建EKS集群时,创建集群的IAM角色/用户将自动绑定到默认的kubernetes RBAC API组system:masters(
When we create the EKS cluster by any method via CloudFormation/CLI/EKSCTL the IAM role/user who created the cluster will automatically binded to the default kubernetes RBAC API group system:masters (https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) and in this way creator of the cluster will get the admin access to the cluster. Although we can always give the access to other IAM user/role using the aws-auth file but for that we must have to use the IAM user/role who created the cluster.
要验证EKS集群的角色/用户,我们可以在cloudtrail上搜索CreateCluster" Api调用,它将在sessionIssuer部分的arn字段中告诉集群的创建者( https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html ).
To verify the role/user for the EKS cluster we can search for the CreateCluster" Api call on cloudtrail and it will tell us the creator of the cluster in the sessionIssuer section for field arn (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html).
当我们使用IAM角色或IAM用户创建集群时,当我们使用角色与用户比较创建集群时,为EKS集群设置访问将变得有些棘手.
When we create the cluster using the IAM role or IAM user, setting up the access for the EKS cluster will become little tricky when we created the cluster using the role compare to user.
在设置对EKS群集的访问权限时,我将介绍针对每种不同方法可以遵循的步骤.
I will put the steps we can follow for each different method while setting up the access to EKS cluster.
确认已通过运行命令aws sts get-caller-identity
$ aws sts get-caller-identity
{
"Account": "xxxxxxxxxxxx",
"UserId": "xxxxxxxxxxxxxxxxxxxxx",
"Arn": "arn:aws:iam::xxxxxxxxxxx:user/eks-user"
}
之后,使用以下命令更新kubeconfig文件
After that update the kubeconfig file using the below command
aws eks --region region-code update-kubeconfig --name cluster_name
将配置文件附加到通过上述命令更新后的外观.除非有必要,否则请不要直接编辑此文件.
Attaching the config file how it looks like once updated via above command. Please do not directly edit this file until and unless necessary.
$ cat ~/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: CERT
server: https://xxxxxxx.sk1.us-east-1.eks.amazonaws.com
name: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
contexts:
- context:
cluster: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
user: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
name: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
current-context: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
kind: Config
preferences: {}
users:
- name: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- us-east-1
- eks
- get-token
- --cluster-name
- eks-cluster
command: aws
完成上述设置后,您应该可以运行kubectl命令.
Once above setup is done you should be able to run the kubectl command.
$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP xxx.xx.x.x <none> 443/TCP 12d
方案2:使用IAM角色创建了群集(例如"eks-role")
在通过IAM角色创建群集时,主要有四种不同的方法来通过cli设置访问权限.
Scenario-2: Cluster was Created using the IAM Role (For example "eks-role")
Mainly there are four different way to setup the access via cli when cluster was created via IAM role.
1.直接在kubeconfig文件中设置角色.
在这种情况下,我们无需在运行kubectl命令之前通过cli手动进行任何角色api调用,因为这将由kube配置文件中设置的aws/aws-iam-authenticator自动完成.
In this case we do not have to make any assume role api call via cli manually, before running kubectl command because that will be automatically done by aws/aws-iam-authenticator set in the kube config file.
让我们现在说,我们正在尝试为用户eks-user设置访问权限,首先要确保用户确实具有承担角色eks-role
Lets say now we are trying to setup the access for the user eks-user the first make sure that user does have permission to assume the role eks-role
向eks-user
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::xxxxxxxxxxx:role/eks-role"
}
]
}
编辑角色上的信任关系,以便允许eks-user担任角色.
Edit the trust relationship on the role so that it will allow the eks-user to assume the role.
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxxx:user/eks-user"
},
"Action": "sts:AssumeRole"
}
]
}
确认已通过运行命令aws sts get-caller-identity在创建集群的AWS cli上正确设置了IAM用户凭证.请记住,重要的是它应该向我们显示IAM用户ARN,而不是IAM假定的ROLE ARN.
Confirm that IAM user credentials are set properly on AWS cli who has created the cluster via running the command aws sts get-caller-identity. Important thing to remember it should show us the IAM user ARN not the IAM assumed ROLE ARN.
$ aws sts get-caller-identity
{
"Account": "xxxxxxxxxxxx",
"UserId": "xxxxxxxxxxxxxxxxxxxxx",
"Arn": "arn:aws:iam::xxxxxxxxxxx:user/eks-user"
}
之后,使用以下命令更新kubeconfig文件
After that update the kubeconfig file using the below command
aws eks --region region-code update-kubeconfig --name cluster_name --role-arn arn:aws:iam::xxxxxxxxxxx:user/eks-role
将配置文件附加到通过上述命令更新后的外观.除非有必要,否则请不要直接编辑此文件.
Attaching the config file how it looks like once updated via above command. Please do not directly edit this file until and unless necessary.
$ cat ~/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: CERT
server: https://xxxxxxx.sk1.us-east-1.eks.amazonaws.com
name: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
contexts:
- context:
cluster: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
user: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
name: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
current-context: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
kind: Config
preferences: {}
users:
- name: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- us-east-1
- eks
- get-token
- --cluster-name
- eks-cluster
- --role
- arn:aws:iam::xxxxxxx:role/eks-role
command: aws
完成上述设置后,您应该可以运行kubectl命令.
Once above setup is done you should be able to run the kubectl command.
$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP xxx.xx.x.x <none> 443/TCP 12d
2.如果您已设置AWS配置文件( https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html ),如果您想在kube配置中使用它.
2. If you have setup the AWS profile (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html) on CLI and if you want to use that with the kube config.
确认配置文件设置正确,以便它可以使用eks-user
Confirm that profile is set properly so that it can use the credentials for the eks-user
$ cat ~/.aws/config
[default]
output = json
region = us-east-1
[eks]
output = json
region = us-east-1
[profile adminrole]
role_arn = arn:aws:iam::############:role/eks-role
source_profile = eks
$ cat ~/.aws/credentials
[default]
aws_access_key_id = xxxxxxxxxxxx
aws_secret_access_key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[eks]
aws_access_key_id = xxxxxxxxxxxx
aws_secret_access_key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
完成此配置文件配置后,请通过运行命令aws sts get-caller-identity --profile eks
Once this profile configuration is done please confirm that profile configuration is fine by running the command aws sts get-caller-identity --profile eks
$ aws sts get-caller-identity --profile eks
{
"Account": "xxxxxxxxxxxx",
"UserId": "xxxxxxxxxxxxxxxxxxxxx",
"Arn": "arn:aws:iam::xxxxxxxxxxx:user/eks-user"
}
之后,使用配置文件中的以下命令更新kubeconfig文件,请确保我们不在此处使用该角色.
After that update the kubeconfig file using the below command with the profile and please make sure we are not using the role here.
aws eks update-kubeconfig --name devel --profile eks
将配置文件附加到通过上述命令更新后的外观.除非有必要,否则请不要直接编辑此文件.
Attaching the config file how it looks like once updated via above command. Please do not directly edit this file until and unless necessary.
$ cat ~/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: CERT
server: https://xxxxx.sk1.us-east-1.eks.amazonaws.com
name: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
contexts:
- context:
cluster: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
user: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
name: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
current-context: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
kind: Config
preferences: {}
users:
- name: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- us-east-1
- eks
- get-token
- --cluster-name
- eks-cluster
command: aws
env:
- name: AWS_PROFILE
value: eks
完成上述设置后,您应该可以运行kubectl命令.
Once above setup is done you should be able to run the kubectl command.
$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP xxx.xx.x.x <none> 443/TCP 12d
3.可以通过其他任何方式承担角色,例如,我们可以将IAM角色直接附加到实例.
如果角色直接附加到实例配置文件,那么我们可以按照在方案1中为IAM用户设置访问权限时遵循的类似步骤
If role is directly attached to the instance profile then we can follow the similar steps as we followed while setting up the access for IAM user in Scenario-1
验证我们已将正确的角色附加到EC2实例,并且由于此实例配置文件将成为最低优先级,因此此步骤还将验证实例上是否没有任何其他凭据设置.
Verify that we have attached the correct role to EC2 instance and as this instance profile will come into least precedence, this step will also verify that there are no any other credentials setup on the instnace.
[ec2-user@ip-xx-xxx-xx-252 ~]$ aws sts get-caller-identity
{
"Account": "xxxxxxxxxxxx",
"UserId": "xxxxxxxxxxxxxxxxxxxxx:i-xxxxxxxxxxx",
"Arn": "arn:aws:sts::xxxxxxxxxxxx:assumed-role/eks-role/i-xxxxxxxxxxx"
}
之后,使用以下命令更新kubeconfig文件
After that update the kubeconfig file using the below command
aws eks --region region-code update-kubeconfig --name cluster_name
将配置文件附加到通过上述命令更新后的外观.除非有必要,否则请不要直接编辑此文件.
Attaching the config file how it looks like once updated via above command. Please do not directly edit this file until and unless necessary.
$ cat ~/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: CERT
server: https://xxxxxxx.sk1.us-east-1.eks.amazonaws.com
name: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
contexts:
- context:
cluster: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
user: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
name: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
current-context: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
kind: Config
preferences: {}
users:
- name: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- us-east-1
- eks
- get-token
- --cluster-name
- eks-cluster
command: aws
完成上述设置后,您应该可以运行kubectl命令.
Once above setup is done you should be able to run the kubectl command.
$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP xxx.xx.x.x <none> 443/TCP 12d
4.通过aws sts assume-role命令手动承担IAM角色.
4. Manually assuming the IAM role via aws sts assume-role command.
通过运行cli命令手动设置角色eks-role.
Assume the role eks-role manually by running the cli command.
aws sts assume-role --role-arn arn:aws:iam::xxxxxxxxxxx:role/eks-role --role-session-name test
{
"AssumedRoleUser": {
"AssumedRoleId": "xxxxxxxxxxxxxxxxxxxx:test",
"Arn": "arn:aws:sts::xxxxxxxxxxx:assumed-role/eks-role/test"
},
"Credentials": {
"SecretAccessKey": "xxxxxxxxxx",
"SessionToken": xxxxxxxxxxx",
"Expiration": "xxxxxxxxx",
"AccessKeyId": "xxxxxxxxxx"
}
}
然后,使用上面输出中的值设置所需的环境变量,以便我们可以使用从会话生成的正确凭据.
After that set the required environment variable using the value from above output so that we can use the correct credentials generated from the session.
export AWS_ACCESS_KEY_ID=xxxxxxxxxx
export AWS_SECRET_ACCESS_KEY=xxxxxxxxxxx
export AWS_SESSION_TOKEN=xxxxxxxxxx
在那之后,通过运行命令aws sts get-caller-identity验证我们是否承担了IAM角色.
After that verify that we assumed the IAM role by running the command aws sts get-caller-identity.
$ aws sts get-caller-identity { 帐户":"xxxxxxxxxx", "UserId":"xxxxxxxxxx:test", "Arn":"arn:aws:sts :: xxxxxxxxxx:假定角色/eks角色/测试" }
$ aws sts get-caller-identity { "Account": "xxxxxxxxxx", "UserId": "xxxxxxxxxx:test", "Arn": "arn:aws:sts::xxxxxxxxxx:assumed-role/eks-role/test" }
之后,使用以下命令更新kubeconfig文件
After that update the kubeconfig file using the below command
aws eks --region region-code update-kubeconfig --name cluster_name
将配置文件附加到通过上述命令更新后的外观.除非有必要,否则请不要直接编辑此文件.
Attaching the config file how it looks like once updated via above command. Please do not directly edit this file until and unless necessary.
$ cat ~/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: CERT
server: https://xxxxxxx.sk1.us-east-1.eks.amazonaws.com
name: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
contexts:
- context:
cluster: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
user: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
name: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
current-context: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
kind: Config
preferences: {}
users:
- name: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- us-east-1
- eks
- get-token
- --cluster-name
- eks-cluster
command: aws
完成上述设置后,您应该可以运行kubectl命令.
Once above setup is done you should be able to run the kubectl command.
$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP xxx.xx.x.x <none> 443/TCP 12d
注意:
我已经在这里尝试介绍主要用例,但是在我们需要设置对群集的访问权限的情况下,可能还会有其他用例.
I have try to cover major use case here but there might be other use case too where we need to setup the access to the cluster.
此外,以上测试主要针对首次设置EKS集群,而上述方法均未涉及到aws-auth configmap. 但是一旦您通过aws-auth(
Also the above tests are mainly aiming at the first time setup of the EKS cluster and none of the above method is touching the aws-auth configmap yet. But once you have given access to other IAM user/role to EKS cluster via aws-auth (https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html) file you can use the same set of commands for those users too.
这篇关于得到错误“调用AssumeRole操作时发生错误(AccessDenied):访问被拒绝".设置EKS集群后的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
