search

mumoshu / kube-ssm-agent

Secure, access-controlled, and audited terminal sessions to EKS nodes without SSH
109 stars 35 forks source link

Will this agent work with IRSA on EKS #9

Closed aaronj314 closed 4 years ago

aaronj314 commented 4 years ago

Hello,

We are looking to use IRSA with this agent. Do you happen to know if it will work? We don't want to have the role attached to the instance profile, but use terraform to create the policies needed, and services account created using eksctl and OIDC enabled. My test show it's not working unless I attach my policy to the instance profile.

AccessDeniedException: User: arn:aws:sts │
│ ::xxxxxxxxxx:assumed-role/eksctl-aj-project-nodegroup-ng-de-NodeInstanceRole-EUL6ROZRPHS9/i-xxxxxxxx i │
│ s not authorized to perform: ssm:UpdateInstanceInformation on resource: arn:aws:ec2:us-east-1:xxxxxxxxxxxxx:instan │
│ ce/i-xxxxx
aaronj314 commented 4 years ago

i does work, just had the wrong roles setup :)