我正在尝试使用kubectl在其他用户创建的EKS集群上工作。
我按照the documentation中的不同说明,使用命令aws eks --region eu-central-1 update-kubeconfig --name internal --role-arn arn:aws:iam::xxxxxxxxxx:role/eks_role_internal
创建了kube配置文件。
然后,当我尝试测试配置(kubectl get svc
)时,出现错误消息:
could not get token: accessDenied: User: arn:aws:iam::xxxxxxxxxxxx:user/me is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxxxxxxx:role/eks_role_internal
这是该策略的配置:
{
"Version": "2012-10-17","Statement": [
{
"Sid": "VisualEditor0","Effect": "Allow","action": "sts:AssumeRole","Resource": "arn:aws:iam::xxxxxxxxxxx:role/eks_role_internal"
}
]
}
与角色的信任关系:
{
"Version": "2012-10-17","Statement": [
{
"Effect": "Allow","Principal": {
"Service": [
"eks.amazonaws.com","ec2.amazonaws.com"
]
},"action": "sts:AssumeRole"
}
]
}