0

I want to deploy Kubernetes service/deployment yaml files from CodePipeline which is in account A and the EKS cluster is in account B.

I tried the following approach.

On Account A:

  • Created assume role policy and attached it to the codebuild role which is associated with the codepipeline.
  • Passed the role name from account A in assume role policy which has eks full access.

On Account B:

  • Created a role with access to EKS cluster.
  • Added the above role arn to the Kubernetes config with system:masters permission.

Buildspec file from Account A:

version: 0.2
run-as: root

phases:

  install:
    commands:
      - echo Installing app dependencies...
      - curl -o kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.18.9/2020-11-02/bin/darwin/amd64/kubectl
      - chmod +x ./kubectl
      - mkdir -p $HOME/bin && cp ./kubectl $HOME/bin/kubectl && export PATH=$PATH:$HOME/bin
      - echo 'export PATH=$PATH:$HOME/bin' >> ~/.bashrc
      - source ~/.bashrc
      - echo 'Check kubectl version'
      - kubectl version --short --client
      #- chmod +x eks_cicd/prereqs.sh
      #- sh eks_cicd/prereqs.sh

  build:
    commands:
      - echo Logging in to Amazon EKS...
      - aws sts get-caller-identity
      - aws eks --region $AWS_DEFAULT_REGION update-kubeconfig --name $AWS_CLUSTER_NAME --role-arn $ASSUMEROLE_ARN
      - echo check config
      - kubectl config view --minify
      - echo check kubectl access
      - kubectl get svc

  post_build:
    commands:
      - kubectl apply -f ingress.yml
      #- kubectl rollout restart -f eks_cicd/deployment.yaml

But I'm getting this error:

An error occurred (ResourceNotFoundException) when calling the DescribeCluster operation: No cluster found for name: DevCluster.
SUBHAS PATIL
  • 176
  • 1
  • 13

1 Answers1

0

As far as I can tell you are still in account A.

The role for codebuild (role 1)

Needs to be in account A.

The role with with access to run ' aws eks ' (role 2)

The role you want to pass to eks via ' --role-arn ' (role 3 )

Both need to be in account B.

Point 1

Role 1 needs to have iam:AssumeRole permission to assume role 2.

You need to actively assume it via a script in your codebuild buildspec and set the following variables in your environment.

  • aws access key
  • secret access key
  • session token

See here for an example of an assume role script:

https://dannys.cloud/create-reusable-assume-role-script-cross-account-aws

Point 2

The AssumeRolePolicyDocument for role 2, needs to permit role 1 to assume it.

      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - !Sub arn:aws:iam::${DeployMentsAccountId}:role/${CodeBuildRoleName}
            Action:
              - sts:AssumeRole

It then needs the permission to run eks etc.

It also needs iam:PassRole on role 3

Point 3

Your cluster role ( role 3 ) (see https://docs.aws.amazon.com/eks/latest/userguide/service_IAM_role.html)

Ronan Cunningham
  • 344
  • 1
  • 7
  • Thanks for the help. Everything was already in place, I did 2 things 1. Created the script for temp credentials 2. Attached the below policy to the target account IAM role and it started working: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "some-large-id", "Effect": "Allow", "Action": [ "sts:*" ], "Resource": [ "*" ] } ] } ``` – SUBHAS PATIL Aug 09 '21 at 08:46