Cloudformation for a kube2iam role

3/7/2019

I'm having trouble creating a role for kube2iam, everything seems to work fine I deploy the stack with the role and the pods spin up but whenever a pod tries to perform an authorized action (put an item into dynamo in this case) I get an error that the assumed role is not authorized. Here's the snippet that creates the role:

ServiceRole:
  Type: "AWS::IAM::Role"
  Properties:
    RoleName:
      Ref: StackName
    AssumeRolePolicyDocument:
      Version: "2012-10-17"
      Statement:
      - Effect: "Allow"
        Principal:
          Service:
          - "ec2.amazonaws.com"
        Action:
        - "sts:AssumeRole"
    Path: "/"
    Policies:
    - PolicyName:
        Ref: StackName
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Action:
              - dynamodb:PutItem
            Resource:
              Fn::GetAtt: [Table, Arn]

The table is elsewhere in the same stack and deploys just fine. I deployed kube2iam via a helm chart

The error I get is:

User: arn:aws:sts::<BLAHBLAH>:assumed-role/nodes.k8s.logint.cimpress.io/<BLAHBLAH> is not authorized to perform: dynamodb:PutItem on resource <BLAHBLAH>

I also tried this for the assume role:

- Effect: "Allow"
  Principal:
    AWS: "arn:aws:iam::<BLAHBLAH>:role/nodes.<BLAHBLAH>"
  Action:
    - "sts:AssumeRole"

I still get the same error

-- Lev Kuznetsov
amazon-cloudformation
amazon-iam
kubernetes

0 Answers