获取错误“调用 AssumeRole 操作时发生错误 (AccessDenied):拒绝访问"设置 EKS 集群后 [英] Getting error "An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied" after setting up EKS cluster
问题描述
我使用 AWS 控制台创建了 EKS 集群,在创建集群时我使用了我预先创建的 VPC 和子网,我创建了一个角色 eks-role,它具有 AmazonEKSClusterPolicy 和 AmazonEKSServicePolicy 附加到它.
I have created the EKS cluster using AWS console, while creating a cluster I used my pre-created VPCs and subnets, I have created one role eks-role which has AmazonEKSClusterPolicy and AmazonEKSServicePolicy attached to it.
我使用以下方法添加了 kubeconfig 文件:
I have added the kubeconfig file using:
aws eks update-kubeconfig --name eks-cluster --role-arn "arn:aws:iam::############:role/eks-role"
当我使用 kubectl get svc 命令时,我得到如下错误:
When I use kubectl get svc command I get the error as:
调用 AssumeRole 操作时发生错误 (AccessDenied):拒绝访问
An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied
我不知道这有什么问题.
I don't know what might be wrong with this.
在我的用户中,我添加了一个策略:
In My user, I have added a policy as:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::############:role/eks-role"
}
]
}
并且在角色中我添加了信任关系:
And In the role I have added the trust relationship:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::############:user/test"
},
"Action": "sts:AssumeRole"
}
]
}
<小时>
我的~/.aws/credentials 文件如下所示:
**[default]**
aws_access_key_id = ##############
aws_secret_access_key = #############################
region=us-west-1
**[test]**
aws_access_key_id = ###########
aws_secret_access_key = #############################
region=ap-southeast-1
**[eks]**
role_arn = arn:aws:iam::##########:role/eks-role
source_profile = test
推荐答案
我确信问题已经解决,但我会在这里提供更多信息,所以如果其他人仍然面临这个问题,那么他们可能不会像我一样浪费时间和使用步骤.
I am sure issue is resolved but I will be putting more information here so if any other people are still facing the issue then they might not waste time like me and use the steps.
当我们通过 CloudFormation/CLI/EKSCTL 以任何方法创建 EKS 集群时,创建集群的 IAM 角色/用户将自动绑定到默认的 kubernetes RBAC API 组 system:masters (
When we create the EKS cluster by any method via CloudFormation/CLI/EKSCTL the IAM role/user who created the cluster will automatically binded to the default kubernetes RBAC API group system:masters (https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) and in this way creator of the cluster will get the admin access to the cluster. Although we can always give the access to other IAM user/role using the aws-auth file but for that we must have to use the IAM user/role who created the cluster.
为了验证 EKS 集群的角色/用户,我们可以在 cloudtrail 上搜索 CreateCluster" Api 调用,它会在 sessionIssuer 字段 arn 部分(https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html).
To verify the role/user for the EKS cluster we can search for the CreateCluster" Api call on cloudtrail and it will tell us the creator of the cluster in the sessionIssuer section for field arn (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html).
当我们使用 IAM 角色或 IAM 用户创建集群时,当我们使用角色与用户创建集群时,设置 EKS 集群的访问权限将变得不那么棘手.
When we create the cluster using the IAM role or IAM user, setting up the access for the EKS cluster will become little tricky when we created the cluster using the role compare to user.
在设置对 EKS 集群的访问时,我将列出我们可以针对每种不同方法遵循的步骤.
I will put the steps we can follow for each different method while setting up the access to EKS cluster.
通过运行命令 aws sts get-caller-identity
$ aws sts get-caller-identity
{
"Account": "xxxxxxxxxxxx",
"UserId": "xxxxxxxxxxxxxxxxxxxxx",
"Arn": "arn:aws:iam::xxxxxxxxxxx:user/eks-user"
}
之后使用以下命令更新 kubeconfig 文件
After that update the kubeconfig file using the below command
aws eks --region region-code update-kubeconfig --name cluster_name
附加配置文件,通过上述命令更新后的样子.除非必要,否则请不要直接编辑此文件.
Attaching the config file how it looks like once updated via above command. Please do not directly edit this file until and unless necessary.
$ cat ~/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: CERT
server: https://xxxxxxx.sk1.us-east-1.eks.amazonaws.com
name: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
contexts:
- context:
cluster: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
user: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
name: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
current-context: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
kind: Config
preferences: {}
users:
- name: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- us-east-1
- eks
- get-token
- --cluster-name
- eks-cluster
command: aws
完成上述设置后,您应该能够运行 kubectl 命令.
Once above setup is done you should be able to run the kubectl command.
$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP xxx.xx.x.x <none> 443/TCP 12d
场景 2:使用 IAM 角色创建集群(例如eks-role")
<小时>当通过 IAM 角色创建集群时,主要有四种不同的方式可以通过 cli 设置访问.
Scenario-2: Cluster was Created using the IAM Role (For example "eks-role")
Mainly there are four different way to setup the access via cli when cluster was created via IAM role.
1.直接在 kubeconfig 文件中设置角色.
在这种情况下,在运行 kubectl 命令之前,我们不必通过 cli 手动调用任何假定角色 api 调用,因为这将由 kube 中设置的 aws/aws-iam-authenticator 自动完成配置文件.
In this case we do not have to make any assume role api call via cli manually, before running kubectl command because that will be automatically done by aws/aws-iam-authenticator set in the kube config file.
假设现在我们正在尝试为用户 eks-user 设置访问权限,首先确保用户确实有权承担角色 eks-role
Lets say now we are trying to setup the access for the user eks-user the first make sure that user does have permission to assume the role eks-role
为eks-user
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::xxxxxxxxxxx:role/eks-role"
}
]
}
编辑角色的信任关系,以便允许 eks-user 代入角色.
Edit the trust relationship on the role so that it will allow the eks-user to assume the role.
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxxx:user/eks-user"
},
"Action": "sts:AssumeRole"
}
]
}
通过运行命令 aws sts get-caller-identity 确认在创建集群的 AWS cli 上正确设置了 IAM 用户凭证.重要的是要记住,它应该向我们显示 IAM 用户 ARN,而不是 IAM 假定的角色 ARN.
Confirm that IAM user credentials are set properly on AWS cli who has created the cluster via running the command aws sts get-caller-identity. Important thing to remember it should show us the IAM user ARN not the IAM assumed ROLE ARN.
$ aws sts get-caller-identity
{
"Account": "xxxxxxxxxxxx",
"UserId": "xxxxxxxxxxxxxxxxxxxxx",
"Arn": "arn:aws:iam::xxxxxxxxxxx:user/eks-user"
}
之后使用以下命令更新 kubeconfig 文件
After that update the kubeconfig file using the below command
aws eks --region region-code update-kubeconfig --name cluster_name --role-arn arn:aws:iam::xxxxxxxxxxx:user/eks-role
附加配置文件,通过上述命令更新后的样子.除非必要,否则请不要直接编辑此文件.
Attaching the config file how it looks like once updated via above command. Please do not directly edit this file until and unless necessary.
$ cat ~/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: CERT
server: https://xxxxxxx.sk1.us-east-1.eks.amazonaws.com
name: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
contexts:
- context:
cluster: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
user: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
name: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
current-context: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
kind: Config
preferences: {}
users:
- name: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- us-east-1
- eks
- get-token
- --cluster-name
- eks-cluster
- --role
- arn:aws:iam::xxxxxxx:role/eks-role
command: aws
完成上述设置后,您应该能够运行 kubectl 命令.
Once above setup is done you should be able to run the kubectl command.
$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP xxx.xx.x.x <none> 443/TCP 12d
2.如果您已设置 AWS 配置文件 (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html) 在 CLI 上,如果您想将其与 kube 配置一起使用.
2. If you have setup the AWS profile (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html) on CLI and if you want to use that with the kube config.
确认配置文件设置正确,以便它可以使用 eks-user
Confirm that profile is set properly so that it can use the credentials for the eks-user
$ cat ~/.aws/config
[default]
output = json
region = us-east-1
[eks]
output = json
region = us-east-1
[profile adminrole]
role_arn = arn:aws:iam::############:role/eks-role
source_profile = eks
$ cat ~/.aws/credentials
[default]
aws_access_key_id = xxxxxxxxxxxx
aws_secret_access_key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[eks]
aws_access_key_id = xxxxxxxxxxxx
aws_secret_access_key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
此配置文件配置完成后,请运行以下命令确认配置文件配置正常 aws sts get-caller-identity --profile eks
Once this profile configuration is done please confirm that profile configuration is fine by running the command aws sts get-caller-identity --profile eks
$ aws sts get-caller-identity --profile eks
{
"Account": "xxxxxxxxxxxx",
"UserId": "xxxxxxxxxxxxxxxxxxxxx",
"Arn": "arn:aws:iam::xxxxxxxxxxx:user/eks-user"
}
之后,使用以下命令和配置文件更新 kubeconfig 文件,请确保我们没有在此处使用角色.
After that update the kubeconfig file using the below command with the profile and please make sure we are not using the role here.
aws eks update-kubeconfig --name devel --profile eks
附加配置文件,通过上述命令更新后的样子.除非必要,否则请不要直接编辑此文件.
Attaching the config file how it looks like once updated via above command. Please do not directly edit this file until and unless necessary.
$ cat ~/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: CERT
server: https://xxxxx.sk1.us-east-1.eks.amazonaws.com
name: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
contexts:
- context:
cluster: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
user: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
name: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
current-context: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
kind: Config
preferences: {}
users:
- name: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- us-east-1
- eks
- get-token
- --cluster-name
- eks-cluster
command: aws
env:
- name: AWS_PROFILE
value: eks
完成上述设置后,您应该能够运行 kubectl 命令.
Once above setup is done you should be able to run the kubectl command.
$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP xxx.xx.x.x <none> 443/TCP 12d
3.以任何其他方式承担角色,例如我们可以直接将IAM角色附加到实例.
如果角色直接附加到实例配置文件,那么我们可以按照我们在场景 1 中为 IAM 用户设置访问权限时遵循的类似步骤
If role is directly attached to the instance profile then we can follow the similar steps as we followed while setting up the access for IAM user in Scenario-1
验证我们已将正确的角色附加到 EC2 实例,并且由于此实例配置文件的优先级最低,此步骤还将验证实例上没有设置任何其他凭据.
Verify that we have attached the correct role to EC2 instance and as this instance profile will come into least precedence, this step will also verify that there are no any other credentials setup on the instnace.
[ec2-user@ip-xx-xxx-xx-252 ~]$ aws sts get-caller-identity
{
"Account": "xxxxxxxxxxxx",
"UserId": "xxxxxxxxxxxxxxxxxxxxx:i-xxxxxxxxxxx",
"Arn": "arn:aws:sts::xxxxxxxxxxxx:assumed-role/eks-role/i-xxxxxxxxxxx"
}
之后使用以下命令更新 kubeconfig 文件
After that update the kubeconfig file using the below command
aws eks --region region-code update-kubeconfig --name cluster_name
附加配置文件,通过上述命令更新后的样子.除非必要,否则请不要直接编辑此文件.
Attaching the config file how it looks like once updated via above command. Please do not directly edit this file until and unless necessary.
$ cat ~/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: CERT
server: https://xxxxxxx.sk1.us-east-1.eks.amazonaws.com
name: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
contexts:
- context:
cluster: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
user: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
name: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
current-context: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
kind: Config
preferences: {}
users:
- name: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- us-east-1
- eks
- get-token
- --cluster-name
- eks-cluster
command: aws
完成上述设置后,您应该能够运行 kubectl 命令.
Once above setup is done you should be able to run the kubectl command.
$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP xxx.xx.x.x <none> 443/TCP 12d
4.通过 aws sts 假设角色 命令手动承担 IAM 角色.
4. Manually assuming the IAM role via aws sts assume-role command.
通过运行 cli 命令手动承担角色 eks-role.
Assume the role eks-role manually by running the cli command.
aws sts assume-role --role-arn arn:aws:iam::xxxxxxxxxxx:role/eks-role --role-session-name test
{
"AssumedRoleUser": {
"AssumedRoleId": "xxxxxxxxxxxxxxxxxxxx:test",
"Arn": "arn:aws:sts::xxxxxxxxxxx:assumed-role/eks-role/test"
},
"Credentials": {
"SecretAccessKey": "xxxxxxxxxx",
"SessionToken": xxxxxxxxxxx",
"Expiration": "xxxxxxxxx",
"AccessKeyId": "xxxxxxxxxx"
}
}
然后使用上面输出的值设置所需的环境变量,以便我们可以使用从会话生成的正确凭据.
After that set the required environment variable using the value from above output so that we can use the correct credentials generated from the session.
export AWS_ACCESS_KEY_ID=xxxxxxxxxx
export AWS_SECRET_ACCESS_KEY=xxxxxxxxxxx
export AWS_SESSION_TOKEN=xxxxxxxxxx
之后,通过运行命令 aws sts get-caller-identity 验证我们是否承担了 IAM 角色.
After that verify that we assumed the IAM role by running the command aws sts get-caller-identity.
$ aws sts get-caller-identity{"帐户": "xxxxxxxxxxx","UserId": "xxxxxxxxxx:test","Arn": "arn:aws:sts::xxxxxxxxxx:assumed-role/eks-role/test"}
$ aws sts get-caller-identity { "Account": "xxxxxxxxxx", "UserId": "xxxxxxxxxx:test", "Arn": "arn:aws:sts::xxxxxxxxxx:assumed-role/eks-role/test" }
之后使用以下命令更新 kubeconfig 文件
After that update the kubeconfig file using the below command
aws eks --region region-code update-kubeconfig --name cluster_name
附加配置文件,通过上述命令更新后的样子.除非必要,否则请不要直接编辑此文件.
Attaching the config file how it looks like once updated via above command. Please do not directly edit this file until and unless necessary.
$ cat ~/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: CERT
server: https://xxxxxxx.sk1.us-east-1.eks.amazonaws.com
name: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
contexts:
- context:
cluster: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
user: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
name: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
current-context: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
kind: Config
preferences: {}
users:
- name: arn:aws:eks:us-east-1:xxxxxxx:cluster/eks-cluster
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- us-east-1
- eks
- get-token
- --cluster-name
- eks-cluster
command: aws
完成上述设置后,您应该能够运行 kubectl 命令.
Once above setup is done you should be able to run the kubectl command.
$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP xxx.xx.x.x <none> 443/TCP 12d
<小时>
注意:
我已尝试在此处介绍主要用例,但可能还有其他用例需要设置对集群的访问.
I have try to cover major use case here but there might be other use case too where we need to setup the access to the cluster.
此外,上述测试主要针对 EKS 集群的首次设置,上述方法均未涉及 aws-auth 配置映射.但是一旦您通过 aws-auth (https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html) 文件,您也可以为这些用户使用相同的命令集.
Also the above tests are mainly aiming at the first time setup of the EKS cluster and none of the above method is touching the aws-auth configmap yet. But once you have given access to other IAM user/role to EKS cluster via aws-auth (https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html) file you can use the same set of commands for those users too.
这篇关于获取错误“调用 AssumeRole 操作时发生错误 (AccessDenied):拒绝访问"设置 EKS 集群后的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
