7

I've initially run aws --region eu-west-1 eks update-kubeconfig --name prod-1234 --role-arn arn:aws:iam::1234:user/chris-devops to get access to the EKS cluster.

When doing anything like: kubectl get ... I get an error of:

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::1234:user/chris-devops is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::1234:user/chris-devops

Why do I get this error? How do I gain access?

I've added the following to the user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": "arn:aws:iam::1234:user/chris-devops"
        }
    ]
}

In addition I also have full Administrator access:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

I've read through: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_cant-assume-role

And my understanding is I'm meeting all the criteria.

Chris Stryczynski
  • 19,899
  • 28
  • 104
  • 198

2 Answers2

2

Your policy is wrong. User can’t assume another IAM user. It should be something like this:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "sts:AssumeRole"
        ],
        "Resource": "arn:aws:iam::1234:role/prod-Eks-1234-admins"
    }
]
}
marcincuber
  • 2,277
  • 1
  • 13
  • 21
1
aws eks --region eu-west-1 update-kubeconfig --name prod-eks-3flXvI2r --role-arn http://arn:aws:iam::1234:role/prod-eks-1234-admins

I had to specify the correct role... Woohooo

Chris Stryczynski
  • 19,899
  • 28
  • 104
  • 198
  • Yes and to add more details, you need to specify the role that provisioned the EKS cluster. Same in the policy of your user, use the provision role. – PierrickM Dec 09 '20 at 17:08