Using role in aws-auth config-map

12/3/2019

I'm using this terraform module to create eks cluster: https://github.com/terraform-aws-modules/terraform-aws-eks

Then I create an additional role and added to map_roles input similar to the example in the repo (my role is to use CloudWatch)

{
    rolearn  = "arn:aws:iam::66666666666:role/role1"
    username = "role1"
    groups   = ["system:masters"]
}

I can verify that the role is added to the aws-auth config map together with a role created by the module.

I got this error when the app trying to use CloudWatch:

User: arn:aws:sts::xxx:assumed-role/yyy/zzz is not authorized to perform: logs:DescribeLogGroups on resource: arn:aws:logs:xxx:yyy:log-group::log-stream

the User arn in the error message has the yyy part match the role arn created by the module. So I thought I'm using the wrong role? if so how can I choose the correct credential? (I'm using .NETcore, create AmazonCloudWatchLogsClient without specify any credential)

When I manually edit that role and add the log's permission, the app works. Not sure if it's the right way, if so how can I add the permission in terraforming?

-- Tubc
.net-core
amazon-eks
amazon-web-services
kubernetes
terraform

1 Answer

12/6/2019

I ended up pulling the eks module to local and add more policies to the existing role:

resource "aws_iam_policy" "my_new_policy" {
  name_prefix = "eks-worker-my_new_policy-${aws_eks_cluster.this.name}"
  description = "EKS worker node my_new_policy policy for cluster ${aws_eks_cluster.this.name}"
  policy      = data.aws_iam_policy_document.my_new_policy.json
  path        = var.iam_path
}

data "aws_iam_policy_document" "my_new_policy" {
  statement {
    sid    = "my_new_policy"
    effect = "Allow"

    actions = [
      "logs:DescribeLogGroups"
    ]

    resources = ["*"]
  }
}
-- Tubc
Source: StackOverflow