K
Q

aws-iam-authenticator Unauthorized

2/18/2019

I am setting up rolemap in aws-iam-authenticator within my kops kubernetes cluster. But the user is getting access denied.

Log from aws-iam-authenticator pod:

time="2019-02-18T17:52:18Z" level=warning msg="access denied" arn="arn:aws:iam:::role/KubernetesView" client="127.0.0.1:52256" error="ARN is not mapped: arn:aws:iam:::role/kubernetesview" method=POST path=/authenticate

But the role is mapped in the config map:

$kubectl describe configmaps  aws-iam-authenticator |grep -A 5 ^server:
server:
  mapRoles:
  - roleARN: arn:aws:iam::<account id redacted>:role/KubernetesView
    username: kubernetes-view:{{SessionName}}
    groups:
    - system:masters

Actual error message:

$ kubectl get pods -n kube-system error: You must be logged in to the server (Unauthorized)

time="2019-02-18T17:52:18Z" level=warning msg="access denied" arn="arn:aws:iam:::role/KubernetesView" client="127.0.0.1:52256" error="ARN is not mapped: arn:aws:iam:::role/kubernetesview" method=POST path=/authenticate

$kubectl describe configmaps  aws-iam-authenticator |grep -A 5 ^server:
server:
  mapRoles:
  - roleARN: arn:aws:iam::<account id redacted>:role/KubernetesView
    username: kubernetes-view:{{SessionName}}
    groups:
    - system:masters

$ kubectl get pods -n kube-system error: You must be logged in to the server (Unauthorized)

-- San Pal
amazon-eks
kops
kubernetes

Similar Questions

What valid cidr can I assign to my GKE cluster?
How to set service-node-port-range and then be able to deploy services using the new port range?
Combining multiple Local-SSD on a node in Kubernetes (GKE)
How to access containers from external IP?

0 Answers