K
Q

Unable to Authenticate with AWS while integrating GitLab with EKS

8/30/2020

Was trying to integrate GitLab 13.3.2 CE (deployed on On-Prem server) with EKS.

First I provided the Account ID, Access Key and Secret Key. (Admin Area -> Settings -> Integrations) Also Enabled EKS Integration.

Secondly I created an IAM role in the respective account with the policies mentioned in the link specified. (https://docs.gitlab.com/ce/user/project/clusters/add_eks_clusters.html) Followed all the steps mentioned in this link meticulously.

Policy attached to the aws iam role,

Following were the steps to create the IAM Role,

  1. Logged in to IAM Console
  2. Clicked on Roles section in the left menu.
  3. Select Type of Trusted Entity as "Another AWS account"
  4. Filled in the Account ID
  5. Provided the External ID mentioned in GitLab Project's Kubernetes console

Clicked on the Respective Project, Operations -> Kubernetes -> Add Kubernetes Cluster -> Create New Cluster on Amazon EKS

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "autoscaling:CreateAutoScalingGroup",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeScalingActivities",
                "autoscaling:UpdateAutoScalingGroup",
                "autoscaling:CreateLaunchConfiguration",
                "autoscaling:DescribeLaunchConfigurations",
                "cloudformation:CreateStack",
                "cloudformation:DescribeStacks",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:CreateSecurityGroup",
                "ec2:createTags",
                "ec2:DescribeImages",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeRegions",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "eks:CreateCluster",
                "eks:DescribeCluster",
                "iam:AddRoleToInstanceProfile",
                "iam:AttachRolePolicy",
                "iam:CreateRole",
                "iam:CreateInstanceProfile",
                "iam:CreateServiceLinkedRole",
                "iam:GetRole",
                "iam:ListRoles",
                "iam:PassRole",
                "ssm:GetParameters"
            ],
            "Resource": "*"
        }
    ]
}

After this I copied the ARN of the newly created role and Used it in My Project's Kubernetes section. ()

Had got this as the response Error: Request failed with status code 422

Response after clicking on "Authenticate with AWS"

-- PRANAV
amazon-eks
amazon-web-services
gitlab
gitlab-ce
kubernetes

Similar Questions

Kubernetes cronjob email alerts
Kibana service appearing pending
launching multiple kafka broker fails
Azure External Load Balancer and Kubernetes cluster
Can later ingress subpaths override earlier ingress parent paths?

1 Answer

8/30/2020

Attached this policy to the user whose access key and secret key was used while enabling EKS in GitLab.

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::<<account-id>>:role/gitlab-eks-4"
    }
}

This gives the user the privilege to assume the gitlab-eks role (which has been created and whose ARN has been given while EKS integration)

-- PRANAV
Source: StackOverflow