amazon-iam - How do I add a policy the role that EC2 instances assume in an EKS cluster?
问题描述
I'm using Terraform to create an EKS cluster. The worker nodes have an IAM role defined as follows:
resource "aws_iam_role" "eks-node" {
name = "${local.resource_prefix}-eks-node"
assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
POLICY
}
resource "aws_iam_role_policy_attachment" "eks-node-AmazonEKSWorkerNodePolicy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
role = "${aws_iam_role.eks-node.name}"
}
resource "aws_iam_role_policy_attachment" "eks-node-AmazonEKS_CNI_Policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
role = "${aws_iam_role.eks-node.name}"
}
resource "aws_iam_role_policy_attachment" "eks-node-AmazonEC2ContainerRegistryReadOnly" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
role = "${aws_iam_role.eks-node.name}"
}
resource "aws_iam_instance_profile" "eks-node" {
name = "${local.resource_prefix}-eks-node"
role = "${aws_iam_role.eks-node.name}"
}
This all spins up fine, and I can launch containers into the cluster. Now I want to try and play with allowing the containers to access AWS SSM in order to retrieve sensitive information (like a DB password). I did a quick test by launching a simple alpine instance into the cluster, installing the AWS CLI and running
aws ssm get-parameters --name /tmp/test-001 --region ...
(the /tmp/test-001 parameter does exist in the same region). This spits back a predictable error of:
An error occurred (AccessDeniedException) when calling the GetParameters operation: User: arn:aws:sts::(account-id):assumed-role/(resource-prefix)-eks-node/i-(EC2-instance-id) is not authorized to perform: ssm:GetParameters on resource: arn:aws:ssm:(region):(account-id):parameter/tmp/test-001
That's good actually - I want this to be rejected until I give that user permission. However note that the user is assumed-role/(resource-prefix)-eks-node/i-(EC2-instance-id)
and not simply assumed-role/(resource-prefix)-eks-node
- I suspect that has something to do with my actual problem...
So I head back to Terraform and add in the following Policy to the worker nodes:
resource "aws_iam_role_policy" "eks_node_allow_ssm_access" {
name = "${local.resource_prefix}-eks-node-ssm-access"
role = "${aws_iam_role.eks-node.name}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:GetParameters"
],
"Effect": "Allow",
"Resource": "arn:aws:ssm:${local.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/tmp/test-001"
}
]
}
EOF
}
This generates what I would expect - an inline Policy on arn:aws:iam::(account-id):role/(resource-prefix)-eks-node
that allows acccess to ssm:GetParameters. However when I re-launch the container and try again, I still get the AccessDeniedException error.
I suspect it has something to do with the assumed-role
being for (prefix)-eks-node/i-0...............e
instead of what the role Terraform creates actually is (prefix)-eks-node
. But since that EC2 instance is dynamically created with auto-scaling, I have no idea how I would target that with a policy...
All that brings me back to the question... How do I allow the assumed user role of the EC2 instance in the EKS worker nodes access to another resource (in this case SSM)?
解决方案
推荐阅读
- python - 如何检测从 QStandardItem 中的 setCheckable( True ) 创建的复选框是选中还是未选中?
- python - 使用 Homebrew 安装 python3 后,Homebrew 不会在 /usr/bin/local 中创建 python 的符号链接
- asp.net-core - 从任何地方检索 SignalR 3.0 中的集线器上下文的最佳方式
- sql - 替换 select 语句中的特殊字符
- android - 具有静态浮动操作按钮的相对布局内的网格布局上的滚动视图
- visual-studio - Unity GUI 元素 - 我如何选择 whos 在顶部?
- node.js - 即使状态为 200 的响应准确,也会触发 catch 块
- java - 从 Docker 容器的 maven Quarkus 项目的资源文件夹中读取 txt 文件
- vim - 如何在 Vim 中列出 autocmd 组?
- angular - 如何解决 Ionic Angular 应用程序中的 CORS 策略问题?