I'm having trouble creating a role for kube2iam, everything seems to work fine I deploy the stack with the role and the pods spin up but whenever a pod tries to perform an authorized action (put an item into dynamo in this case) I get an error that the assumed role is not authorized. Here's the snippet that creates the role:
ServiceRole:
Type: "AWS::IAM::Role"
Properties:
RoleName:
Ref: StackName
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "ec2.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
Policies:
- PolicyName:
Ref: StackName
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- dynamodb:PutItem
Resource:
Fn::GetAtt: [Table, Arn]
The table is elsewhere in the same stack and deploys just fine. I deployed kube2iam via a helm chart
The error I get is:
User: arn:aws:sts::<BLAHBLAH>:assumed-role/nodes.k8s.logint.cimpress.io/<BLAHBLAH> is not authorized to perform: dynamodb:PutItem on resource <BLAHBLAH>
I also tried this for the assume role:
- Effect: "Allow"
Principal:
AWS: "arn:aws:iam::<BLAHBLAH>:role/nodes.<BLAHBLAH>"
Action:
- "sts:AssumeRole"
I still get the same error