SessionName did not contain an instance id
haarchri opened this issue · 0 comments
haarchri commented
we have running a central eks-cluster with crossplane provider-aws enabled in Account A (with IRSA)and will deploy a eks-cluster in Account B - we using assumeRoleArn https://github.com/crossplane/provider-aws/blob/master/pkg/clients/aws.go#L319-L323
provisioning in Account B is working but creating a working kubeconfig is not working - everytime we get Unauthorized
we can see the following issue in athenticator cloudwatch log:
time="2022-01-07T18:47:39Z" level=warning msg="access denied" arn="arn:aws:iam::REDACTED:role/crossplane-test" client="127.0.0.1:57752" error="failed mapping username: SessionName did not contain an instance id" method=POST path=/authenticate sts=sts.ap-northeast-1.amazonaws.com
any idea what is the problem ?