Closed hanfi closed 3 years ago
Hi @hanfi,
I apologize for the delay. I'm not able to reproduce - can you provide a redacted debug log for me to review (remove any account IDs and other sensitive information, but replace them with something that allows me to still differentiate between the roles)? Thanks!
Greetings! It looks like this issue hasn’t been active in longer than a week. We encourage you to check if this is still an issue in the latest release. Because it has been longer than a week since the last update on this, and in the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or add an upvote to prevent automatic closure, or if the issue is already closed, please feel free to open a new one.
aws eks update-kubeconfig --name MyClusterEks --region eu-west-3 --role-arn arn:aws:iam::XXXXXXXXXX:role/CICD
--debug
2021-02-19 11:05:00,144 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.1.27 Python/3.9.1 Darwin/19.6.0 source/x86_64
2021-02-19 11:05:00,145 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['eks', 'update-kubeconfig', '--name', 'MyClusterEks', '--region', 'eu-west-3', '--role-arn', 'arn:aws:iam::XXXXXXXXXX:role/CICD', '--debug']
2021-02-19 11:05:00,183 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_s3 at 0x10c09a670>
2021-02-19 11:05:00,183 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_ddb at 0x10bef9310>
2021-02-19 11:05:00,183 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.configure.configure.ConfigureCommand'>>
2021-02-19 11:05:00,183 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function change_name at 0x10be97a60>
2021-02-19 11:05:00,183 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function change_name at 0x10bea39d0>
2021-02-19 11:05:00,184 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function alias_opsworks_cm at 0x10c0ac040>
2021-02-19 11:05:00,184 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_history_commands at 0x10bf47ee0>
2021-02-19 11:05:00,184 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.devcommands.CLIDevCommand'>>
2021-02-19 11:05:00,184 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_waiters at 0x10c0a7280>
2021-02-19 11:05:00,184 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/Cellar/awscli/2.1.27/libexec/lib/python3.9/site-packages/awscli/data/cli.json
2021-02-19 11:05:00,188 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_types at 0x10c0085e0>
2021-02-19 11:05:00,189 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function no_sign_request at 0x10c00b160>
2021-02-19 11:05:00,189 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_verify_ssl at 0x10c00b0d0>
2021-02-19 11:05:00,189 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_cli_read_timeout at 0x10c00b280>
2021-02-19 11:05:00,189 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_cli_connect_timeout at 0x10c00b1f0>
2021-02-19 11:05:00,189 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <built-in method update of dict object at 0x10c1452c0>
2021-02-19 11:05:00,189 - MainThread - botocore.session - DEBUG - Setting config variable for region to 'eu-west-3'
2021-02-19 11:05:00,194 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.1.27 Python/3.9.1 Darwin/19.6.0 source/x86_64 prompt/off
2021-02-19 11:05:00,195 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['eks', 'update-kubeconfig', '--name', 'MyClusterEks', '--region', 'eu-west-3', '--role-arn', 'arn:aws:iam::XXXXXXXXXX:role/CICD', '--debug']
2021-02-19 11:05:00,195 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_timestamp_parser at 0x10c09aca0>
2021-02-19 11:05:00,195 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function register_uri_param_handler at 0x10bbc19d0>
2021-02-19 11:05:00,195 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_binary_formatter at 0x10c109700>
2021-02-19 11:05:00,195 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function no_pager_handler at 0x10bbbbc10>
2021-02-19 11:05:00,197 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_assume_role_provider_cache at 0x10bc283a0>
2021-02-19 11:05:00,200 - MainThread - botocore.utils - DEBUG - IMDS ENDPOINT: http://169.254.169.254/
2021-02-19 11:05:00,208 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function attach_history_handler at 0x10bf47dc0>
2021-02-19 11:05:00,208 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_json_file_cache at 0x10bef71f0>
2021-02-19 11:05:00,243 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/Cellar/awscli/2.1.27/libexec/lib/python3.9/site-packages/botocore/data/eks/2017-11-01/service-2.json
2021-02-19 11:05:00,245 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/Cellar/awscli/2.1.27/libexec/lib/python3.9/site-packages/botocore/data/eks/2017-11-01/service-2.sdk-extras.json
2021-02-19 11:05:00,248 - MainThread - botocore.hooks - DEBUG - Event building-command-table.eks: calling handler <function inject_commands at 0x10bfe61f0>
2021-02-19 11:05:00,248 - MainThread - botocore.hooks - DEBUG - Event building-command-table.eks: calling handler <function add_waiters at 0x10c0a7280>
2021-02-19 11:05:00,282 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/Cellar/awscli/2.1.27/libexec/lib/python3.9/site-packages/botocore/data/eks/2017-11-01/waiters-2.json
2021-02-19 11:05:00,283 - MainThread - botocore.hooks - DEBUG - Event building-command-table.eks_update-kubeconfig: calling handler <function add_waiters at 0x10c0a7280>
2021-02-19 11:05:00,285 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.update-kubeconfig.name: calling handler <awscli.paramfile.URIArgumentHandler object at 0x10c188b80>
2021-02-19 11:05:00,285 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.custom.update-kubeconfig: calling handler <awscli.argprocess.ParamShorthandParser object at 0x10bbe7790>
2021-02-19 11:05:00,286 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.update-kubeconfig.kubeconfig: calling handler <awscli.paramfile.URIArgumentHandler object at 0x10c188b80>
2021-02-19 11:05:00,286 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.update-kubeconfig.role-arn: calling handler <awscli.paramfile.URIArgumentHandler object at 0x10c188b80>
2021-02-19 11:05:00,286 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.custom.update-kubeconfig: calling handler <awscli.argprocess.ParamShorthandParser object at 0x10bbe7790>
2021-02-19 11:05:00,286 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.update-kubeconfig.dry-run: calling handler <awscli.paramfile.URIArgumentHandler object at 0x10c188b80>
2021-02-19 11:05:00,286 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.custom.update-kubeconfig: calling handler <awscli.argprocess.ParamShorthandParser object at 0x10bbe7790>
2021-02-19 11:05:00,286 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.update-kubeconfig.verbose: calling handler <awscli.paramfile.URIArgumentHandler object at 0x10c188b80>
2021-02-19 11:05:00,286 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.custom.update-kubeconfig: calling handler <awscli.argprocess.ParamShorthandParser object at 0x10bbe7790>
2021-02-19 11:05:00,286 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.update-kubeconfig.alias: calling handler <awscli.paramfile.URIArgumentHandler object at 0x10c188b80>
2021-02-19 11:05:00,287 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: env
2021-02-19 11:05:00,287 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2021-02-19 11:05:00,287 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity
2021-02-19 11:05:00,287 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: sso
2021-02-19 11:05:00,287 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file
2021-02-19 11:05:00,288 - MainThread - botocore.credentials - INFO - Found credentials in shared credentials file: ~/.aws/credentials
2021-02-19 11:05:00,289 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/Cellar/awscli/2.1.27/libexec/lib/python3.9/site-packages/botocore/data/endpoints.json
2021-02-19 11:05:00,295 - MainThread - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x10b2390d0>
2021-02-19 11:05:00,296 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.eks: calling handler <function add_generate_presigned_url at 0x10b1d9940>
2021-02-19 11:05:00,301 - MainThread - botocore.endpoint - DEBUG - Setting eks timeout as (60, 60)
2021-02-19 11:05:00,302 - MainThread - botocore.hooks - DEBUG - Event provide-client-params.eks.DescribeCluster: calling handler <function base64_decode_input_blobs at 0x10c109e50>
2021-02-19 11:05:00,302 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.eks.DescribeCluster: calling handler <function generate_idempotent_uuid at 0x10b249160>
2021-02-19 11:05:00,303 - MainThread - botocore.hooks - DEBUG - Event before-call.eks.DescribeCluster: calling handler <function inject_api_version_header_if_needed at 0x10b24c9d0>
2021-02-19 11:05:00,303 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=DescribeCluster) with params: {'url_path': '/clusters/MyClusterEks', 'query_string': {}, 'method': 'GET', 'headers': {'User-Agent': 'aws-cli/2.1.27 Python/3.9.1 Darwin/19.6.0 source/x86_64 prompt/off command/eks.update-kubeconfig'}, 'body': b'', 'url': 'https://eks.eu-west-3.amazonaws.com/clusters/MyClusterEks', 'context': {'client_region': 'eu-west-3', 'client_config': <botocore.config.Config object at 0x10cd22a30>, 'has_streaming_input': False, 'auth_type': None}}
2021-02-19 11:05:00,303 - MainThread - botocore.hooks - DEBUG - Event request-created.eks.DescribeCluster: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x10cd22a00>>
2021-02-19 11:05:00,303 - MainThread - botocore.hooks - DEBUG - Event choose-signer.eks.DescribeCluster: calling handler <function set_operation_specific_signer at 0x10b249040>
2021-02-19 11:05:00,303 - MainThread - botocore.auth - DEBUG - Calculating signature using v4 auth.
2021-02-19 11:05:00,304 - MainThread - botocore.auth - DEBUG - CanonicalRequest:
GET
/clusters/MyClusterEks
host:eks.eu-west-3.amazonaws.com
x-amz-date:20210219T100500Z
host;x-amz-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
2021-02-19 11:05:00,304 - MainThread - botocore.auth - DEBUG - StringToSign:
AWS4-HMAC-SHA256
20210219T100500Z
20210219/eu-west-3/eks/aws4_request
aab55e52d160b77ee83b16f6a87df34987d14395f49f7dce907f4feacafc3619
2021-02-19 11:05:00,304 - MainThread - botocore.auth - DEBUG - Signature:
2166c5eb5703f8f591c28f3992c160bbb190181eb7107ad61868395d5f58a433
2021-02-19 11:05:00,304 - MainThread - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=GET, url=https://eks.eu-west-3.amazonaws.com/clusters/MyClusterEks, headers={'User-Agent': b'aws-cli/2.1.27 Python/3.9.1 Darwin/19.6.0 source/x86_64 prompt/off command/eks.update-kubeconfig', 'X-Amz-Date': b'20210219T100500Z', 'Authorization': b'AWS4-HMAC-SHA256 Credential=XXXXXXXXXXXXXXXXXX/20210219/eu-west-3/eks/aws4_request, SignedHeaders=host;x-amz-date, Signature=2166c5eb5703f8f591c28f3992c160bbb190181eb7107ad61868395d5f58a433'}>
2021-02-19 11:05:00,305 - MainThread - botocore.httpsession - DEBUG - Certificate path: /usr/local/Cellar/awscli/2.1.27/libexec/lib/python3.9/site-packages/botocore/cacert.pem
2021-02-19 11:05:00,305 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): eks.eu-west-3.amazonaws.com:443
2021-02-19 11:05:00,376 - MainThread - urllib3.connectionpool - DEBUG - https://eks.eu-west-3.amazonaws.com:443 "GET /clusters/MyClusterEks HTTP/1.1" 403 186
2021-02-19 11:05:00,376 - MainThread - botocore.parsers - DEBUG - Response headers: {'Date': 'Fri, 19 Feb 2021 10:05:00 GMT', 'Content-Type': 'application/json', 'Content-Length': '186', 'Connection': 'keep-alive', 'x-amzn-RequestId': 'fd499ad2-a896-4df0-be32-6e56c34c3faa', 'x-amzn-ErrorType': 'AccessDeniedException', 'x-amz-apigw-id': 'a_MD8Fg4CGYFfxQ=', 'X-Amzn-Trace-Id': 'Root=1-602f8d4c-31afc22a7b2d8828457ae09b'}
2021-02-19 11:05:00,377 - MainThread - botocore.parsers - DEBUG - Response body:
b'{"Message":"User: arn:aws:iam::XXXXXXXXXX:user/devops is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:eu-west-3:XXXXXXXXXX:cluster/MyClusterEks"}'
2021-02-19 11:05:00,378 - MainThread - botocore.hooks - DEBUG - Event needs-retry.eks.DescribeCluster: calling handler <bound method RetryHandler.needs_retry of <botocore.retries.standard.RetryHandler object at 0x10cd67430>>
2021-02-19 11:05:00,378 - MainThread - botocore.retries.standard - DEBUG - Not retrying request.
2021-02-19 11:05:00,378 - MainThread - botocore.hooks - DEBUG - Event after-call.eks.DescribeCluster: calling handler <bound method RetryQuotaChecker.release_retry_quota of <botocore.retries.standard.RetryQuotaChecker object at 0x10cd22f70>>
2021-02-19 11:05:00,378 - MainThread - awscli.clidriver - DEBUG - Exception caught in main()
Traceback (most recent call last):
File "/usr/local/Cellar/awscli/2.1.27/libexec/lib/python3.9/site-packages/awscli/clidriver.py", line 457, in main
return command_table[parsed_args.command](remaining, parsed_args)
File "/usr/local/Cellar/awscli/2.1.27/libexec/lib/python3.9/site-packages/awscli/clidriver.py", line 586, in __call__
return command_table[parsed_args.operation](remaining, parsed_globals)
File "/usr/local/Cellar/awscli/2.1.27/libexec/lib/python3.9/site-packages/awscli/customizations/commands.py", line 191, in __call__
rc = self._run_main(parsed_args, parsed_globals)
File "/usr/local/Cellar/awscli/2.1.27/libexec/lib/python3.9/site-packages/awscli/customizations/eks/update_kubeconfig.py", line 122, in _run_main
new_cluster_dict = client.get_cluster_entry()
File "/usr/local/Cellar/awscli/2.1.27/libexec/lib/python3.9/site-packages/awscli/customizations/eks/update_kubeconfig.py", line 276, in get_cluster_entry
cert_data = self._get_cluster_description().get("certificateAuthority",
File "/usr/local/Cellar/awscli/2.1.27/libexec/lib/python3.9/site-packages/awscli/customizations/eks/update_kubeconfig.py", line 258, in _get_cluster_description
full_description = client.describe_cluster(name=self._cluster_name)
File "/usr/local/Cellar/awscli/2.1.27/libexec/lib/python3.9/site-packages/botocore/client.py", line 249, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/local/Cellar/awscli/2.1.27/libexec/lib/python3.9/site-packages/botocore/client.py", line 568, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the DescribeCluster operation: User: arn:aws:iam::XXXXXXXXXX:user/devops is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:eu-west-3:XXXXXXXXXX:cluster/MyClusterEks
An error occurred (AccessDeniedException) when calling the DescribeCluster operation: User: arn:aws:iam::XXXXXXXXXX:user/devops is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:eu-west-3:XXXXXXXXXX:cluster/MyClusterEks
to reproduce :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::*:role/CICD"
}
]
}
while you are your user (in my case called user/devops) : run :
aws eks update-kubeconfig --name MyClusterEks --region eu-west-3 --role-arn arn:aws:iam::XXXXXXXXXX:role/CICD
the command doesn't use the provided role-arn to perform eks:DescribeCluster. it uses the user without assuming the role.
Also meet this problem. my case:
aws eks --region ap-east-1 update-kubeconfig --name aws-hongkong-k8s --role-arn arn:aws:iam::xxxxx:role/AProject-Ops
An error occurred (UnrecognizedClientException) when calling the DescribeCluster operation: The security token included in the request is invalid.how to sovled it ?
I had that problem, had to add the profile
aws eks --region us-east-1 update-kubeconfig --name dev-01 --profile engr --role-arn arn:aws:iam::xxxx:role/eks-operator-role
@kdaily This issue is still there. How do I resolve it?
Same here,
aws eks --region ap-south-1 update-kubeconfig --name=test
An error occurred (AccessDeniedException) when calling the DescribeCluster operation: User: arn:aws:iam::REDACTED:user/redacted.redacted is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:ap-south-1:REDACTED:cluster/test with an explicit deny
the user is directly attacted with inline policy containing following json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:DescribeCluster",
"eks:ListClusters"
],
"Resource": "*"
}
]
}
Having the same issue An error occurred (AccessDeniedException) when calling the DescribeCluster operation: User::
Please help if possible
@gitaacademy Check to see if there's a policy statement DenyaAllActionsIfNot...
exist in any policy attached to that user
If there's such policy statement exists and check for this action DescribeCluster
if it does not listed add it to the action block.
In my case it was DenyAllIfNotMFA
which didn't had DescribeCluster
action
So authenticating using awscli with mfa worked https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/#:~:text=It's%20a%20best%20practice%20to,must%20create%20a%20temporary%20session.
Same issue here. I don’t have MFA enabled. Please reopen.
@demisx updated my comment, hope that helps.
Any updates on how to fix this issue ?
Confirm by changing [ ] to [x] below to ensure that it's a bug:
Describe the bug
when creating a kube config while i'm myUser :
aws eks update-kubeconfig --name MyCluster --region eu-west-1 --role-arn arn:aws:iam::XXXXXXXXX:role/myRole
it's supposed to build the kubeconfig and add the paramsbut i have this error :
An error occurred (AccessDeniedException) when calling the DescribeCluster operation: User: arn:aws:iam::XXXXXXXXX:role:user/myUser is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:eu-west-1:XXXXXXX:cluster/cluster_name
the user running that command is not supposed to have any access, everything should be done by the role
SDK version number aws-cli/2.1.10 Python/3.9.1 Darwin/19.6.0 source/x86_64 prompt/off
Platform/OS/Hardware/Device mac Os 10.15.7
To Reproduce (observed behavior)
Expected behavior the command should just build your kubeconfig or use the provided role to describeCluster