AccessDenied: User: arn:aws:sts::ACCOUNT_NUMBER:assumed-role/<ROLE>/<INSTANCE_ID> is not authorized to perform: ...

Question

AccessDenied: User: arn:aws:sts::ACCOUNT_NUMBER:assumed-role/<ROLE>/<INSTANCE_ID> is not authorized to perform: ...

rmgpinto opened this issue 3 years ago · 1 comments

I have a k8s cluster with the following config:

# this role is the nodes role of the cluster
data "aws_iam_role" "kubernetes_nodes" {
  name = var.server_node_role
}

resource "aws_iam_policy" "server_node" {
  name = "kiam-server-node"
  policy = jsonencode(
    {
      "Version" : "2012-10-17",
      "Statement" : [
        {
          "Effect" : "Allow",
          "Action" : "sts:AssumeRole",
          "Resource" : "${aws_iam_role.server_role.arn}"
        }
      ]
    }
  )
}

resource "aws_iam_policy_attachment" "node_policy_attach" {
  name       = "kiam-server-node"
  roles      = [data.aws_iam_role.kubernetes_nodes.name]
  policy_arn = aws_iam_policy.server_node.arn
}


resource "aws_iam_role" "server_role" {
  name = "kiam-server"
  assume_role_policy = jsonencode(
    {
      "Version" : "2012-10-17",
      "Statement" : [
        {
          "Effect" : "Allow",
          "Principal" : {
            "AWS" : "${data.aws_iam_role.kubernetes_nodes.arn}"
          },
          "Action" : "sts:AssumeRole"
        }
      ]
    }
  )
}

resource "aws_iam_policy" "server_policy" {
  name = "kiam-server"
  policy = jsonencode(
    {
      "Version" : "2012-10-17",
      "Statement" : [
        {
          "Effect" : "Allow",
          "Action" : "sts:AssumeRole",
          "Resource" : "*"
        }
      ]
    }
  )
}

resource "aws_iam_policy_attachment" "server_policy_attach" {
  name       = "kiam-server"
  roles      = ["${aws_iam_role.server_role.name}"]
  policy_arn = aws_iam_policy.server_policy.arn
}

Then on the pod iam role I have:

data "aws_iam_role" "kiam_server" {
  name = "kiam-server"
}

resource "aws_iam_role" "role" {
  name = "role"
  assume_role_policy = jsonencode(
    {
      "Version" : "2012-10-17",
      "Statement" : [
        {
          "Effect" : "Allow",
          "Principal" : {
            "Service" : "ec2.amazonaws.com"
          },
          "Action" : "sts:AssumeRole"
        },
        {
          "Effect" : "Allow",
          "Principal" : {
            "AWS" : "${data.aws_iam_role.kiam_server.arn}"
          },
          "Action" : "sts:AssumeRole"
        }
      ]
    }
  )
}

resource "aws_iam_role_policy" "role_policy" {
  name = "policy"
  role = aws_iam_role.role.name
  policy = jsonencode(
    {
      "Version" : "2012-10-17",
      "Statement" : [
        {
          "Effect" : "Allow",
          "Action" : [
            "route53:ListHostedZones",
            "route53:ListResourceRecordSets"
          ],
          "Resource" : [
            "*"
          ]
        }
      ]
    }
  )
}

helm chart values.yaml:

agent:
  host:
    iptables: true
    interface: "!eth0"
server:
  assumeRoleArn: <kiam_server_role_arn>
  deployment:
    enabled: true
    replicas: 3

But I get:
AccessDenied: User: arn:aws:sts::ACCOUNT_NUMBER:assumed-role/kubernetes_nodes/<INSTANCE_ID> is not authorized to perform: route53:ListHostedZones

kiam-server is logging the credentials injection fine.

Can anyone help please?

Answer 1 · 2021-07-15T18:40:07.000Z

Messed up the configs, needed to specify iptables: true