using kube2iam

[ghost]

I'm attempting to use kube2iam to provide the necessary iam permissions, instead of attaching them to the nodes.

Kube2iam logs show that the role is picked up

time="2019-06-19T14:53:59Z" level=debug msg="Pod OnAdd" pod.iam.role=ssm-iam-role pod.name=ssm-agent-zww9f pod.namespace=kube-system pod.status.ip=172.16.64.133 pod.status.phase=Running

When i exec into the container, the role isn't being assumed:

$ kubectl exec -it -n kube-system ssm-agent-zww9f -- bash
bash-4.2# curl 169.254.169.254/latest/meta-data/iam/security-credentials/
bleh-worker-nodes-e649-NodeInstanceRole-381C6JNT9HTWbash-4.2# exit

$ kubectl logs -n kube-system ssm-agent-zb5j9
2019/06/19 14:58:18 Failed to load instance info from vault. RegistrationKey does not exist.
Error occurred fetching the seelog config file path:  open /etc/amazon/ssm/seelog.xml: no such file or directory
Initializing new seelog logger
New Seelog Logger Creation Complete
2019-06-19 14:58:18 INFO Entering SSM Agent hibernate - AccessDeniedException: User: arn:aws:sts::###:assumed-role/bleh-worker-nodes-e649-NodeInstanceRole-381C6JNT9HTW/### is not authorized to perform: ssm:UpdateInstanceInformation on resource: arn:aws:ec2:us-east-1:###:instance/###
    status code: 400, request id: b206c901-f6c4-440e-b1c4-abdc3d46b949
2019-06-19 14:58:18 INFO Agent is in hibernate mode. Reducing logging. Logging will be reduced to one log per backoff period

[MilanDasek]

Hi,

you need to add annotation (at least for kiam)

template: metadata: annotations: iam.amazonaws.com/role: %INSTANCE ROLE ( for example bleh-worker-nodes-e649-NodeInstanceRole-381C6JNT9HTW)