K
Q

Cross account CodePipeline for EKS deployment

8/6/2021

I want to deploy Kubernetes service/deployment yaml files from CodePipeline which is in account A and the EKS cluster is in account B.

I tried the following approach.

On Account A:

  • Created assume role policy and attached it to the codebuild role which is associated with the codepipeline.
  • Passed the role name from account A in assume role policy which has eks full access.

On Account B:

  • Created a role with access to EKS cluster.
  • Added the above role arn to the Kubernetes config with system:masters permission.

Buildspec file from Account A:

version: 0.2
run-as: root

phases:

  install:
    commands:
      - echo Installing app dependencies...
      - curl -o kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.18.9/2020-11-02/bin/darwin/amd64/kubectl
      - chmod +x ./kubectl
      - mkdir -p $HOME/bin && cp ./kubectl $HOME/bin/kubectl && export PATH=$PATH:$HOME/bin
      - echo 'export PATH=$PATH:$HOME/bin' >> ~/.bashrc
      - source ~/.bashrc
      - echo 'Check kubectl version'
      - kubectl version --short --client
      #- chmod +x eks_cicd/prereqs.sh
      #- sh eks_cicd/prereqs.sh

  build:
    commands:
      - echo Logging in to Amazon EKS...
      - aws sts get-caller-identity
      - aws eks --region $AWS_DEFAULT_REGION update-kubeconfig --name $AWS_CLUSTER_NAME --role-arn $ASSUMEROLE_ARN
      - echo check config
      - kubectl config view --minify
      - echo check kubectl access
      - kubectl get svc

  post_build:
    commands:
      - kubectl apply -f ingress.yml
      #- kubectl rollout restart -f eks_cicd/deployment.yaml

But I'm getting this error:

An error occurred (ResourceNotFoundException) when calling the DescribeCluster operation: No cluster found for name: DevCluster.
-- SUBHAS PATIL
amazon-eks
aws-codebuild
aws-codepipeline
eksctl
kubernetes

Similar Questions

MySQL with Docker/Kubernetes
Pods are deleted regularly
What is the CPU load unit of measure in cgroup (difference between CPU Usage and CPU Load)?
coredns container is getting restarted repeatedly in the kubernetes worker node
Kubernetes Ingress network deny some paths

1 Answer

8/7/2021

As far as I can tell you are still in account A.

The role for codebuild (role 1)

Needs to be in account A.

The role with with access to run ' aws eks ' (role 2)

The role you want to pass to eks via ' --role-arn ' (role 3 )

Both need to be in account B.

Point 1

Role 1 needs to have iam:AssumeRole permission to assume role 2.

You need to actively assume it via a script in your codebuild buildspec and set the following variables in your environment.

  • aws access key
  • secret access key
  • session token

See here for an example of an assume role script:

https://dannys.cloud/create-reusable-assume-role-script-cross-account-aws

Point 2

The AssumeRolePolicyDocument for role 2, needs to permit role 1 to assume it.

      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - !Sub arn:aws:iam::${DeployMentsAccountId}:role/${CodeBuildRoleName}
            Action:
              - sts:AssumeRole

It then needs the permission to run eks etc.

It also needs iam:PassRole on role 3

Point 3

Your cluster role ( role 3 ) (see https://docs.aws.amazon.com/eks/latest/userguide/service_IAM_role.html)

-- Ronan Cunningham
Source: StackOverflow