I am following the step guide to set up and kubernetes environment on AWS.
https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html#role-create
It already had some gochchas.. and they have been answered partially.
- https://stackoverflow.com/questions/51135795/error-the-server-doesnt-have-resource-type-svc
- https://stackoverflow.com/questions/50791303/kubectl-error-you-must-be-logged-in-to-the-server-unauthorized-when-accessing
For some reason, people were able to resolve using these guidelines available in these answers, and I still could not break it.
could not get token: AccessDenied: User: arn:aws:iam::sssssss:user/testprofileUser is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::sssssssss:role/eksServiceRole
What I have done:
- I created an IAM user with Admin privileges.(servicesDev).
- Created a IAM Role for EKS service (amazonEKSServiceRole)
amazonEKSServiceRole has a trust relationship as below,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
This is my kubeconfig file,
apiVersion: v1
clusters:
- cluster:
server: https://7F30ANNSDSDMDCE1.ylq.us-east-1.eks.amazonaws.com
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURB...
name: clouddev
contexts:
- context:
cluster: clouddev
user: aws
name: aws
current-context: aws
kind: Config
preferences: {}
users:
- name: aws
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
command: aws-iam-authenticator
args:
- "token"
- "-i"
- "clouddev"
- "-r"
- "arn:aws:iam::xxxxx:role/amazonEKSServiceRole"
env:
- name: AWS_PROFILE
value: "testprofile"
To be clear I have a testprofile setup correctly in ~/.aws/credentials
If anybody can shed some light greatly appreciated.
Best Answer
You also need to setup the "trust relationship" for the AWSServiceRoleForAmazonEKS role which allows EKS to assume it.
Near the bottom of this link will be details on what to do:
Amazon EKS Service IAM Role