Misleading error message when role doesn't exist

[pingles]

If the kiam server attemps to assume a role that doesn't exist the error message is currently reported as:

AccessDenied: Not authorized to perform sts:AssumeRole

It'd be nice to make it clearer that it failed because the role doesn't exist, rather than a trust policy issue etc.

[kevtaylor]

@pingles I am not sure if this is related or not but I am having difficulties getting the assume-role-arn to work

{"level":"error","msg":"error requesting credentials: AccessDenied: User: arn:aws:sts::034324643013:assumed-role/us-west-2-md-Controller/i-084d38eaacc983616 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::034324643013:role/us-west-2-md-Kiam\n\tstatus code: 403, request id: 01b4ba14-9af0-11e8-b9ba-c1a73e9c177a","pod.iam.role":"us-west-2-md-external-dns","time":"2018-08-08T09:47:04Z"}

us-west-2-md-Controller is the one that is created by kube-aws when the cluster spins And we want to replace it with - --assume-role-arn=arn:aws:iam::034324643013:role/us-west-2-md-Kiam

Do we need to do something else to enable this?

[pingles]

@kevtaylor I think this is a different issue. Would you mind creating another and mentioning the release number please? What you're doing is what I'd expect to work so it's definitely a bug.

[kevtaylor]

@pingles Thanks, will do