I tried to run the command kubectl get svc and I get into this error
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::0123456789:user/temp is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::0123456789:user/temp
The following json is the IAM of user temp
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "eks:DescribeCluster",
"Resource": "arn:aws:eks:ap-southeast-1:0123456789:cluster/cluster1"
}
]
}
This could happen if your .kube/config looks like:
- name: arn:aws:eks:us-west-2:111122223333:cluster/integ
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- us-west-2
- eks
- get-token
- --cluster-name
- integ
- --role
- arn:aws:iam::111122223333:user/temp
command: aws
The key part here is the --role ...user/temp part. Which tells the aws eks get-token command to first assumeRole before it tries to get the token.
So if your AWS client / setup has already assumed the role in question, it will then try to assume the role again when trying to get the EKS login token. So unless you've added permission for the role to assume itself (which would be silly, but helps workaround this particular issue) then you will see the error.
The fix is to either not assume the role first in your client, or to take the --role .../temp out of your .kube/config.
Related
When I try to start a DeviceFarm run via CLI or API with an IAM user, I'm always getting the following error:
An error occurred (AccessDeniedException) when calling the ScheduleRun operation: User: <user-arn> is not authorized to perform: devicefarm:ScheduleRun on resource: <upload-arn>
It happens regardless of user permissions, even on a user who has the AdministratorAccess policy attached. Policy json:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
The command I'm trying to run:
aws devicefarm schedule-run --region=us-west-2 --project-arn=<project-arn> --test='type=APPIUM_PYTHON,testPackageArn=<package-arn>,testSpecArn=<spec-arn>'
However I can still start the run manually via the web AWS console.
I have 2 AWS accounts, source and destination. AWS OIDC federation is configured so that I can use the token from Github Action to login to AWS using the official action:
- name: configure aws credentials
uses: aws-actions/configure-aws-credentials#v1
with:
role-to-assume: arn:aws:iam::<source account id>:role/role-A
aws-region: us-east-1
Now, I want to use Terraform to manage resources on both accounts, source and destination. I followed a guide to allow role-A to assume role-B in the destination account.
I am getting a weird error:
Error: 022-08-31T09:28:04.246] [ERROR] default -
Error: error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::<destination account id>:role/role-B) cannot be assumed.
There are a number of possible causes of this - the most common are:
* The credentials used in order to assume the role are invalid
* The credentials do not have appropriate permission to assume the role
* The role ARN is not valid
Error: operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: 7227d0e8-e955-45ac-8f08-fc48699564e3, api error AccessDenied: User: arn:aws:sts::<source account id>:assumed-role/role-A/GitHubActions is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<destination account id>:role/role-B
with provider["registry.terraform.io/hashicorp/aws"].security,
on cdk.tf.json line 4125, in provider.aws[1]:
4125: }
I can't figure out what the problem is. Role A has the following IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<destination account id>:role/role-B"
}
]
}
I'll appreciate help figuring out why the request is failing... It seems like everything is configured correctly...
Edit:
Added the trust policy for Role B:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<source account id>:role/role-A"
},
"Action": "sts:AssumeRole"
}
]
}
I have a user and I'm trying to impersonate a role for running a service on Kubernetes. However, when I tried using STS to assume the role, I get the following error:
$ aws sts assume-role --role-arn "arn:aws:iam::{ACCOUNT_ID}:role/service-myservice" --role-session-name AWSCLI-Session
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::{ACCOUNT_ID}:user/me is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::{ACCOUNT_ID}:role/service-myservice
I find this odd because this user belongs to a user group with the AdministratorAccess permission attached to it, which should give it access to anything on AWS. This is it:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
So, what am I doing wrong here?
What you have here is the IAM policy attached to this User, aka - what is this user is able to do.
You need to set the Trust Relationship as well. This defines which resources or principals is able to use this role/user. Could be Lambda, EC2 or in your case: an IAM User.
See here for example.
The IAM User/Role (in that case, role) you want to assume must have the Trust Relationship as follow:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_id>:role/<role_name>
},
"Action": "sts:AssumeRole"
}
]
}
I'm trying to use kubectl to work on a EKS Cluster created from an other user.
I followed the different instructions from the documentation to create the kube config file with the command : aws eks --region eu-central-1 update-kubeconfig --name internal --role-arn arn:aws:iam::xxxxxxxxxx:role/eks_role_internal.
Then when i try to test the configuration (kubectl get svc), i'm getting the error :
could not get token: AccessDenied: User: arn:aws:iam::xxxxxxxxxxxx:user/me is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxxxxxxx:role/eks_role_internal
Here is the config for the Policy :
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::xxxxxxxxxxx:role/eks_role_internal"
}
]
}
And the trust relationship of the role :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"eks.amazonaws.com",
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
The first reason getting this error message is misconfigured Trusted relationship on a role that is going to be assumed.
I also was seeing this error when the attached condition in the trusted relationship of having MFA wasn't met:
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}
AWS cli isn't smart enough to see this case and ask for the MFA code, it just throws that error message.
Here is my registry policy for my user :
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1494526914000",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken"
],
"Resource": [
"*"
]
}
]
}
I have no MFA auth
but when i try :
bussiere#kusanagi:~/Workspace/*****$ aws ecr get-login
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::*******:user/bussiere is not authorized to perform: ecr:GetAuthorizationToken on resource: *
bussiere#kusanagi:~/Workspace/*****$
thanks a lot and regards
Maybe unhelpful considering you seem to have the right policy, but the permissions aren't correct somehow. Do you have the region set and are you using the keys for that user in the cli? Also as a test, does it work using the managed policy AmazonEC2ContainerRegistryPowerUser?
http://docs.aws.amazon.com/AmazonECR/latest/userguide/common-errors.html#error-unauthorized