Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access from within EKS from another account still results in Access Denied #1

Open
jeffbeagley opened this issue Feb 21, 2023 · 3 comments
Open

Access from within EKS from another account still results in Access Denied #1

jeffbeagley opened this issue Feb 21, 2023 · 3 comments

Comments

@jeffbeagley
Copy link

I have the following resources in Account A:

  • kubernetes service account
  • service account has annotation for an IAM role within Account A
  • IAM Role has allow action for sts:AssumeRole of the Role in Account B

Account B has the following:

  • your CloudFormation template with principal set to IAM Role from Account A

I provided the External ID and new IAM Role's ARN from Account B into Grafana that is running within Account A and I still receive the following

User: arn:aws:sts::<accountA>:assumed-role/monitoring-role/<session> is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<AccountB>:role/monitoring-role-dev

Have you gotten this to work from EKS?
@jangaraj
Copy link
Member

EKS is different. You need different trust - https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html

@AlKapkone
Copy link

Hi, @jangaraj @jeffbeagley
I also wanted to assume a remote role in Account A from the Grafana pod deployed in the EKScluster in Account B
But have the same issue.
I used these docs but they don't work - https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html
Do you have any ideas ?

CloudWatch metrics query failed: AccessDenied: User: arn:aws:sts::123456789:assumed-role/ondemand-eks-node-group/i-fdksfkdsfdfdsfds is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::987654321:role/grafana-cross-account-role status code: 403

@AlKapkone
Copy link

I annotated my service account with a remote role:

Annotations:         eks.amazonaws.com/role-arn: arn:aws:iam::987654321:role/grafana-cross-account-role

And in account A configured IAM role and OIDC provider for my EKS cluster:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::111122223333:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": "system:serviceaccount:default:my-service-account",
                    "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jangaraj @jeffbeagley @AlKapkone