K
Q

Cloudformation for a kube2iam role

3/7/2019

I'm having trouble creating a role for kube2iam, everything seems to work fine I deploy the stack with the role and the pods spin up but whenever a pod tries to perform an authorized action (put an item into dynamo in this case) I get an error that the assumed role is not authorized. Here's the snippet that creates the role:

ServiceRole:
  Type: "AWS::IAM::Role"
  Properties:
    RoleName:
      Ref: StackName
    AssumeRolePolicyDocument:
      Version: "2012-10-17"
      Statement:
      - Effect: "Allow"
        Principal:
          Service:
          - "ec2.amazonaws.com"
        Action:
        - "sts:AssumeRole"
    Path: "/"
    Policies:
    - PolicyName:
        Ref: StackName
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Action:
              - dynamodb:PutItem
            Resource:
              Fn::GetAtt: [Table, Arn]

The table is elsewhere in the same stack and deploys just fine. I deployed kube2iam via a helm chart

The error I get is:

User: arn:aws:sts::<BLAHBLAH>:assumed-role/nodes.k8s.logint.cimpress.io/<BLAHBLAH> is not authorized to perform: dynamodb:PutItem on resource <BLAHBLAH>

I also tried this for the assume role:

- Effect: "Allow"
  Principal:
    AWS: "arn:aws:iam::<BLAHBLAH>:role/nodes.<BLAHBLAH>"
  Action:
    - "sts:AssumeRole"

I still get the same error

-- Lev Kuznetsov
amazon-cloudformation
amazon-iam
kubernetes

Similar Questions

How do I set multiple commands in config.yaml in kubernetes?
Unable to setup kuberenetes with VM binded with Public IP
WaitForFirstConsumer PersistentVolumeClaim waiting for first consumer to be created before binding
Tagging Docker image (SemVer)
Not able to run kubectl cp command in Argo workflow

0 Answers