default role needs to self assumed

[jh-sz]

Not sure if this is the expected behaviour, in my case, I have some pods that I just want them to use the default role. But I am seeing errors that:

failed with error: NoCredentialProviders: no valid providers in chain. Deprecated

The logs from kube2iam pod, for the above container:

time="2019-10-29T11:59:26Z" level=warning msg="Using fallback role for IP 100.96.25.37"
time="2019-10-29T11:59:26Z" level=error msg="Error assuming role AccessDenied: User: arn:aws:sts::${account-id}:assumed-role/${my-default-role}/i-xxxxxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::${account-id}:role/${my-default-role}\n\tstatus code: 403" ns.name=kube-system 

Should this be getting the credentials from the wantedRole, if wantedRole is same as default? https://github.com/jtblin/kube2iam/blob/c39e3cb489537b9fe240e53ac194ab3bbea785af/server/server.go#L335-L342

Work around: Adding itself to the trusted relationship seem to be working

[tycoles]

@jh-sz Could you show how you're having the role self reference itself for the trust relationship? I've tried several things and none of them are working.

[jh-sz]

Hey @tycoles, i was just modifying that inside on aws console to prove that it's the case. But I believe you can use aws cli update-assume-role-policy to do that. And if you were referring to terraform, AFAIK i don't think that would work. Terraform only allows to add assume role policy on role creation, and you can't refer to a role that hasn't been created.

The way I have done myself is to create a third role to fallback to with the aws permissions i need and use the role as the --default in kube2iam args