Open lemonshow opened 6 years ago
It looks like an issue with the roles- the role your Server is assuming when it attempts to request credentials on behalf of a client isn't able to assume the annotated role.
https://github.com/uswitch/kiam/pull/139 includes an update in the IAM documentation. Could you take a look through and see if anything helps you?
If not, it'd be useful to know:
1) The name of the role your server is assuming via the assume role flag. 2) The name of the role your Pod is attempting to assume 3) That your server is running on nodes that can assume the role in 1) 4) That your role in 2 has sufficient assume/trust policy that the role in 1 can assume it
I am facing exactly the same problem on EKS while trying to get access to AWS Elasticsearch service.
I am using below reference for EKS, https://github.com/uswitch/kiam/pull/112/commits/3ad8aef0012cb321c46072d24a402f9d3655385a#diff-561cdf8ad04b51d17e7e72996f396697R7
Server/Agent are up.
For configmap below,
I used KIAM to allow ingress controller pod to create ALB, worked with kube2iam, but I see below AccessDenied from the server,
Client log
Here is my setting,
Ingress controller annotation,
Similar role worked for kube2iam, wonder if I get what KIAM is looking for correctly.
My worker node policy: eks-node-instance,
My eks-alb-ingress-controller trust,