1

I'm having trouble creating a role for kube2iam, everything seems to work fine I deploy the stack with the role and the pods spin up but whenever a pod tries to perform an authorized action (put an item into dynamo in this case) I get an error that the assumed role is not authorized. Here's the snippet that creates the role:

ServiceRole:
  Type: "AWS::IAM::Role"
  Properties:
    RoleName:
      Ref: StackName
    AssumeRolePolicyDocument:
      Version: "2012-10-17"
      Statement:
      - Effect: "Allow"
        Principal:
          Service:
          - "ec2.amazonaws.com"
        Action:
        - "sts:AssumeRole"
    Path: "/"
    Policies:
    - PolicyName:
        Ref: StackName
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Action:
              - dynamodb:PutItem
            Resource:
              Fn::GetAtt: [Table, Arn]

The table is elsewhere in the same stack and deploys just fine. I deployed kube2iam via a helm chart

The error I get is:

User: arn:aws:sts::<BLAHBLAH>:assumed-role/nodes.k8s.logint.cimpress.io/<BLAHBLAH> is not authorized to perform: dynamodb:PutItem on resource <BLAHBLAH>

I also tried this for the assume role:

- Effect: "Allow"
  Principal:
    AWS: "arn:aws:iam::<BLAHBLAH>:role/nodes.<BLAHBLAH>"
  Action:
    - "sts:AssumeRole"

I still get the same error

Lev Kuznetsov
  • 2,972
  • 2
  • 14
  • 31
  • Can you add yaml where you specify your iam role with annotation? Also, your assumerole is incorrect. You need to whitelist the role attached to your worker node. – marcincuber Mar 07 '19 at 18:02
  • Pods are controlled by a deployment, the annotation is under `spec.template.metadata.annotations['iam.amazonaws.com/role']: arn:aws:iam:::role/` This is a real role I can see from the console. For the second part is there documentation on that? I don't know what it means – Lev Kuznetsov Mar 07 '19 at 18:08

0 Answers0