time="2021-10-25T10:15:15Z" level=error msg="Error assuming role AccessDenied: User: arn:aws:sts::acct:assumed-role/role-name/i-xxxxxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::acct:role/role-name\n\tstatus code: 403, request id: xxx" ns.name=default pod.iam.role="arn:aws:iam::acct:role/role-name" req.method=GET req.path=/latest/meta-data/iam/security-credentials/role-name req.remote=xxx
when kube2iam is run with --auto-discover-default-role when a pod is not having annotation it is still assuming its own role instead . I am not sure if there are technical reasons for this, but doesn't it seem redundant? Can we not just leave it as is instead of assuming its own role again?
This would help in reducing the number of STS calls and also we have one less role to be assumed
so, we are not considering using the suggested https://github.com/jtblin/kube2iam#iam-roles
and instead using exact roles to be assumed,
we noticed this error
when kube2iam is run with
--auto-discover-default-rolewhen a pod is not having annotation it is still assuming its own role instead . I am not sure if there are technical reasons for this, but doesn't it seem redundant? Can we not just leave it as is instead of assuming its own role again?This would help in reducing the number of STS calls and also we have one less role to be assumed