属于IAM组的AWS IAM用户不能承担允许IAM组承担的IAM角色? [英] AWS IAM user that belongs to an IAM group cannot assume IAM role that the IAM group was allowed to assume?

问题描述

我希望这个主题有意义.

I hope that subject makes sense.

我正在尝试在我的EKS集群上设置RBAC，并使用此出色的演练作为指南， Kubernetes身份验证.

I'm trying to setup RBAC on my EKS cluster, and am using this excellent walkthrough as a guide, Kubernetes Authentication.

因此，我创建了一个名为 EKSClusterAdminRole 的IAM角色，该角色具有 AmazonEKSClusterPolicy 托管策略，以允许该角色管理EKS集群.该角色具有这种信任关系

So I created an IAM role, called EKSClusterAdminRole that has the AmazonEKSClusterPolicy managed policy, to allow the role to manage an EKS cluster. The role has this trust relationship

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "eks.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

然后，我创建了一个 EKSAdminGroup ，它具有一个可以担当该角色的内联策略，就像这样

Then I created an EKSAdminGroup that has an inline policy that can assume that role, like this

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAssumeOrganizationAccountRole",
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::0123456789:role/EKSClusterAdminRole"
    }
  ]
}

，然后将现有的 jenkins 用户添加到该组中，如下所示

and I added my existing jenkins user to that group, as shown here

$ aws iam get-group --group-name EKSAdminGroup
{
    "Group": {
        "Path": "/", 
        "CreateDate": "2021-02-27T18:31:34Z", 
        "GroupId": "QRSTUVWXYZ", 
        "Arn": "arn:aws:iam::0123456789:group/EKSAdminGroup", 
        "GroupName": "EKSAdminGroup"
    }, 
    "Users": [
        {
            "UserName": "jenkins", 
            "Path": "/", 
            "CreateDate": "2014-11-04T14:03:17Z", 
            "UserId": "ABCEDFGHIJKLMNOP", 
            "Arn": "arn:aws:iam::0123456789:user/jenkins"
        }
    ]
}

这是我的ClusterRole和ClusterRoleBinding清单

Here's my ClusterRole and ClusterRoleBinding manifest

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-admin-role
rules:
  - apiGroups:
      - ""
      - "apps"
      - "batch"
      - "extensions"
    resources:
      - "configmaps"
      - "cronjobs"
      - "deployments"
      - "events"
      - "ingresses"
      - "jobs"
      - "pods"
      - "pods/attach"
      - "pods/exec"
      - "pods/log"
      - "pods/portforward"
      - "secrets"
      - "services"
    verbs:
      - "create"
      - "delete"
      - "describe"
      - "get"
      - "list"
      - "patch"
      - "update"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-admin-rolebinding
subjects:
- kind: Group
  name: cluster-admins
roleRef:
  kind: ClusterRole
  name: cluster-admin-role
  apiGroup: rbac.authorization.k8s.io

现在，我正在使用在〜/.aws/credentials 中具有上述 jenkins 用户凭据的计算机上.我想在那里执行 kubectl 命令.所以我

Now I'm on a machine that has the above jenkins user credentials in ~/.aws/credentials. I want to execute kubectl commands there. So I do

$ cat ~/.aws/credentials 
[default]
aws_access_key_id = ABCEDFGHIJKLMNOP
aws_secret_access_key = *****

$ aws eks update-kubeconfig --name sandbox --region us-east-1 --role-arn arn:aws:iam::0123456789:role/EKSClusterAdminRole
Updated context arn:aws:eks:us-east-1:0123456789:cluster/sandbox in /home/ubuntu/.kube/config

$ kubectl config view
apiVersion: v1
kind: Config
...
users:
- name: arn:aws:eks:us-east-1:0123456789:cluster/sandbox
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --region
      - us-east-1
      - eks
      - get-token
      - --cluster-name
      - sandbox
      - --role
      - arn:aws:iam::0123456789:role/EKSClusterAdminRole
      command: aws
      env: null
      provideClusterInfo: false

这是我的EKS群集的aws-auth ConfigMap(的一部分)

Here's (part of) my EKS cluster's aws-auth ConfigMap

apiVersion: v1
kind: ConfigMap
data:
  mapRoles: |
  - rolearn: arn:aws:iam::0123456789:role/EKSClusterAdminRole
    username: cluster-admins

例如，我明白了

$ kubectl get ns
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::0123456789:user/jenkins is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::0123456789:role/EKSClusterAdminRole
Unable to connect to the server: getting credentials: exec: executable aws failed with exit code 255

什么是腌菜?好像我在对IAM角色进行故障排除一样与我的问题有关.

What's the deal pickle? It seems like I did everything in Trouubleshooting IAM roles that's pertinent to my issue.

推荐答案

要使其正常工作，至少在我的用户可以担任该角色的位置，我必须将其添加到IAM EKSClusterAdminRole的信任关系中

To make this work, at least where my user can assume the role, I had to add this to my IAM EKSClusterAdminRole's trust relationship

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "eks.amazonaws.com",
        "AWS": "arn:aws:iam::0123456789:root"   <-- add this line
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

这篇关于属于IAM组的AWS IAM用户不能承担允许IAM组承担的IAM角色?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！