1

I have a role which has full privilege to access EKS, Ec2, IAM which is attached to an Ec2 Instance.

I am trying to access my EKS cluster from this Ec2 Instance. I did add the Ec2 instance arn like below to the Trusted relationship of the role which the instance assumes as well. However, still I get the error like below when trying to access the cluster using kubectl from cli inside the Ec2 instance.

I have tried below to obtain the kube config written to the instance hoe directory from which I execute these commands.

aws sts get-caller-identity

$ aws eks update-kubeconfig --name eks-cluster-name --region aws-region --role-arn arn:aws:iam::XXXXXXXXXXXX:role/testrole

Error I'm getting:

error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::769379794363:assumed-role/dev-server-role/i-016d7738c9cb84b96 is not authorized to perform: sts:AssumeRole on resource xxx
Wytrzymały Wiktor
  • 11,492
  • 5
  • 29
  • 37
Vaishnav
  • 611
  • 1
  • 9
  • 23
  • 1
    Don't specify `role-arn` if you want it to use the instance profile. – jordanm Oct 01 '21 at 18:32
  • thanks @jordanm that helped. I now have a new issue. I am not able to list any resources. jenkins@ip-10-0-1-98:~$ kubectl get namespaces Error from server (Forbidden): namespaces is forbidden: User "system:node:ip-10-0-1-98.ec2.internal" cannot list resource "namespaces" in API group "" at the cluster scope – Vaishnav Oct 02 '21 at 08:51
  • 1
    That error indicates you are not using the token from `update-kubeconfig`. The ARN of the role also needs to be inside of the `aws-auth` configmap inside of the cluster. – jordanm Oct 02 '21 at 16:53
  • Thank you @jordanm. I will try that and let you know – Vaishnav Oct 02 '21 at 17:29
  • 1
    @Vaishnav, I have posted the community wiki response to make the problem resolution more visible to the community. For future reference, if a new problem arises, create a new question. There is a rule on stackoverflow, one problem - one question. – Mikołaj Głodziak Oct 04 '21 at 08:38

2 Answers2

1

Community wiki answer for better visibility.

The problem is solved by taking a good tip from the comment:

Don't specify role-arn if you want it to use the instance profile.

OP has confirmed:

thanks @jordanm that helped

Mikołaj Głodziak
  • 4,775
  • 7
  • 28
0

You need to establish trust relationship , Go to I AM role and click trust relationship and add following JSON

Replace XXXXXXXXXXXX with your account id

            {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Principal": {
                    "AWS": [
                      "arn:aws:iam::XXXXXXXXXXXX:root",
                    ]
                  },
                  "Action": "sts:AssumeRole"
                }
              ]
            }
vaquar khan
  • 10,864
  • 5
  • 72
  • 96
  • Thanks for your response. But it wasa already defined properly. Above comment fixed the issue. ie I had to run without specifying the --role-arn. However I now have a new issue. I am not able to list any resources. jenkins@ip-10-0-1-98:~$ kubectl get namespaces Error from server (Forbidden): namespaces is forbidden: User "system:node:ip-10-0-1-98.ec2.internal" cannot list resource "namespaces" in API group "" at the cluster scope – Vaishnav Oct 02 '21 at 08:51
  • 1
    https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole – vaquar khan Oct 02 '21 at 20:58