Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws eks update-kubeconfig using --role-arn param gives not authorized to perform: eks:DescribeCluster #5823

Closed
2 tasks done
hanfi opened this issue Dec 17, 2020 · 13 comments
Closed
2 tasks done

aws eks update-kubeconfig using --role-arn param gives not authorized to perform: eks:DescribeCluster #5823

hanfi opened this issue Dec 17, 2020 · 13 comments
Assignees
@kdaily
Labels
bug This issue is a bug. customization Issues related to CLI customizations (located in /awscli/customizations) eks-kubeconfig needs-reproduction This issue needs reproduction.

Comments

@hanfi
Copy link

hanfi commented Dec 17, 2020

Confirm by changing [ ] to [x] below to ensure that it's a bug:

Describe the bug

  • i'm using an IAM user (lets say myUser) that can assume a Role (called myRole) : tested and it's working
  • myRole has adminAccess but myUser can only assume myRole (tested and working everywhere)

when creating a kube config while i'm myUser :
aws eks update-kubeconfig --name MyCluster --region eu-west-1 --role-arn arn:aws:iam::XXXXXXXXX:role/myRole
it's supposed to build the kubeconfig and add the params

but i have this error :
An error occurred (AccessDeniedException) when calling the DescribeCluster operation: User: arn:aws:iam::XXXXXXXXX:role:user/myUser is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:eu-west-1:XXXXXXX:cluster/cluster_name

the user running that command is not supposed to have any access, everything should be done by the role

SDK version number
aws-cli/2.1.10 Python/3.9.1 Darwin/19.6.0 source/x86_64 prompt/off

Platform/OS/Hardware/Device
mac Os 10.15.7

To Reproduce (observed behavior)

  1. create a role that has all the needed access to the eks cluster
  2. create a user with no access but assume the role
  3. try aws eks update-kubeconfig with --role-name yourRole

Expected behavior
the command should just build your kubeconfig or use the provided role to describeCluster
@hanfi hanfi added the needs-triage This issue or PR still needs to be triaged. label Dec 17, 2020
@kdaily kdaily added customization Issues related to CLI customizations (located in /awscli/customizations) eks-kubeconfig investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Dec 21, 2020
@kdaily
Copy link
Member

kdaily commented Jan 26, 2021

Hi @hanfi,

I apologize for the delay. I'm not able to reproduce - can you provide a redacted debug log for me to review (remove any account IDs and other sensitive information, but replace them with something that allows me to still differentiate between the roles)? Thanks!

@kdaily kdaily added needs-reproduction This issue needs reproduction. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Jan 27, 2021
@github-actions
Copy link

github-actions bot commented Feb 3, 2021

Greetings! It looks like this issue hasn’t been active in longer than a week. We encourage you to check if this is still an issue in the latest release. Because it has been longer than a week since the last update on this, and in the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or add an upvote to prevent automatic closure, or if the issue is already closed, please feel free to open a new one.

@github-actions github-actions bot added closing-soon This issue will automatically close in 4 days unless further comments are made. closed-for-staleness and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Feb 3, 2021
@github-actions github-actions bot closed this as completed Feb 7, 2021
@hanfi
Copy link
Author

hanfi commented Feb 19, 2021
edited
Loading 

aws eks update-kubeconfig --name MyClusterEks --region eu-west-3 --role-arn arn:aws:iam::XXXXXXXXXX:role/CICD
--debug

2021-02-19 11:05:00,144 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.1.27 Python/3.9.1 Darwin/19.6.0 source/x86_64
2021-02-19 11:05:00,145 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['eks', 'update-kubeconfig', '--name', 'MyClusterEks', '--region', 'eu-west-3', '--role-arn', 'arn:aws:iam::XXXXXXXXXX:role/CICD', '--debug']
2021-02-19 11:05:00,183 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_s3 at 0x10c09a670>
2021-02-19 11:05:00,183 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_ddb at 0x10bef9310>
2021-02-19 11:05:00,183 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.configure.configure.ConfigureCommand'>>
2021-02-19 11:05:00,183 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function change_name at 0x10be97a60>
2021-02-19 11:05:00,183 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function change_name at 0x10bea39d0>
2021-02-19 11:05:00,184 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function alias_opsworks_cm at 0x10c0ac040>
2021-02-19 11:05:00,184 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_history_commands at 0x10bf47ee0>
2021-02-19 11:05:00,184 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.devcommands.CLIDevCommand'>>
2021-02-19 11:05:00,184 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_waiters at 0x10c0a7280>
2021-02-19 11:05:00,184 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/Cellar/awscli/2.1.27/libexec/lib/python3.9/site-packages/awscli/data/cli.json
2021-02-19 11:05:00,188 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_types at 0x10c0085e0>
2021-02-19 11:05:00,189 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function no_sign_request at 0x10c00b160>
2021-02-19 11:05:00,189 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_verify_ssl at 0x10c00b0d0>
2021-02-19 11:05:00,189 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_cli_read_timeout at 0x10c00b280>
2021-02-19 11:05:00,189 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_cli_connect_timeout at 0x10c00b1f0>
2021-02-19 11:05:00,189 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <built-in method update of dict object at 0x10c1452c0>
2021-02-19 11:05:00,189 - MainThread - botocore.session - DEBUG - Setting config variable for region to 'eu-west-3'
2021-02-19 11:05:00,194 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.1.27 Python/3.9.1 Darwin/19.6.0 source/x86_64 prompt/off
2021-02-19 11:05:00,195 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['eks', 'update-kubeconfig', '--name', 'MyClusterEks', '--region', 'eu-west-3', '--role-arn', 'arn:aws:iam::XXXXXXXXXX:role/CICD', '--debug']
2021-02-19 11:05:00,195 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_timestamp_parser at 0x10c09aca0>
2021-02-19 11:05:00,195 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function register_uri_param_handler at 0x10bbc19d0>
2021-02-19 11:05:00,195 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_binary_formatter at 0x10c109700>
2021-02-19 11:05:00,195 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function no_pager_handler at 0x10bbbbc10>
2021-02-19 11:05:00,197 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_assume_role_provider_cache at 0x10bc283a0>
2021-02-19 11:05:00,200 - MainThread - botocore.utils - DEBUG - IMDS ENDPOINT: http://169.254.169.254/
2021-02-19 11:05:00,208 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function attach_history_handler at 0x10bf47dc0>
2021-02-19 11:05:00,208 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_json_file_cache at 0x10bef71f0>
2021-02-19 11:05:00,243 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/Cellar/awscli/2.1.27/libexec/lib/python3.9/site-packages/botocore/data/eks/2017-11-01/service-2.json
2021-02-19 11:05:00,245 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/Cellar/awscli/2.1.27/libexec/lib/python3.9/site-packages/botocore/data/eks/2017-11-01/service-2.sdk-extras.json
2021-02-19 11:05:00,248 - MainThread - botocore.hooks - DEBUG - Event building-command-table.eks: calling handler <function inject_commands at 0x10bfe61f0>
2021-02-19 11:05:00,248 - MainThread - botocore.hooks - DEBUG - Event building-command-table.eks: calling handler <function add_waiters at 0x10c0a7280>
2021-02-19 11:05:00,282 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/Cellar/awscli/2.1.27/libexec/lib/python3.9/site-packages/botocore/data/eks/2017-11-01/waiters-2.json
2021-02-19 11:05:00,283 - MainThread - botocore.hooks - DEBUG - Event building-command-table.eks_update-kubeconfig: calling handler <function add_waiters at 0x10c0a7280>
2021-02-19 11:05:00,285 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.update-kubeconfig.name: calling handler <awscli.paramfile.URIArgumentHandler object at 0x10c188b80>
2021-02-19 11:05:00,285 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.custom.update-kubeconfig: calling handler <awscli.argprocess.ParamShorthandParser object at 0x10bbe7790>
2021-02-19 11:05:00,286 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.update-kubeconfig.kubeconfig: calling handler <awscli.paramfile.URIArgumentHandler object at 0x10c188b80>
2021-02-19 11:05:00,286 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.update-kubeconfig.role-arn: calling handler <awscli.paramfile.URIArgumentHandler object at 0x10c188b80>
2021-02-19 11:05:00,286 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.custom.update-kubeconfig: calling handler <awscli.argprocess.ParamShorthandParser object at 0x10bbe7790>
2021-02-19 11:05:00,286 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.update-kubeconfig.dry-run: calling handler <awscli.paramfile.URIArgumentHandler object at 0x10c188b80>
2021-02-19 11:05:00,286 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.custom.update-kubeconfig: calling handler <awscli.argprocess.ParamShorthandParser object at 0x10bbe7790>
2021-02-19 11:05:00,286 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.update-kubeconfig.verbose: calling handler <awscli.paramfile.URIArgumentHandler object at 0x10c188b80>
2021-02-19 11:05:00,286 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.custom.update-kubeconfig: calling handler <awscli.argprocess.ParamShorthandParser object at 0x10bbe7790>
2021-02-19 11:05:00,286 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.update-kubeconfig.alias: calling handler <awscli.paramfile.URIArgumentHandler object at 0x10c188b80>
2021-02-19 11:05:00,287 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: env
2021-02-19 11:05:00,287 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2021-02-19 11:05:00,287 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity
2021-02-19 11:05:00,287 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: sso
2021-02-19 11:05:00,287 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file
2021-02-19 11:05:00,288 - MainThread - botocore.credentials - INFO - Found credentials in shared credentials file: ~/.aws/credentials
2021-02-19 11:05:00,289 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/Cellar/awscli/2.1.27/libexec/lib/python3.9/site-packages/botocore/data/endpoints.json
2021-02-19 11:05:00,295 - MainThread - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x10b2390d0>
2021-02-19 11:05:00,296 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.eks: calling handler <function add_generate_presigned_url at 0x10b1d9940>
2021-02-19 11:05:00,301 - MainThread - botocore.endpoint - DEBUG - Setting eks timeout as (60, 60)
2021-02-19 11:05:00,302 - MainThread - botocore.hooks - DEBUG - Event provide-client-params.eks.DescribeCluster: calling handler <function base64_decode_input_blobs at 0x10c109e50>
2021-02-19 11:05:00,302 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.eks.DescribeCluster: calling handler <function generate_idempotent_uuid at 0x10b249160>
2021-02-19 11:05:00,303 - MainThread - botocore.hooks - DEBUG - Event before-call.eks.DescribeCluster: calling handler <function inject_api_version_header_if_needed at 0x10b24c9d0>
2021-02-19 11:05:00,303 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=DescribeCluster) with params: {'url_path': '/clusters/MyClusterEks', 'query_string': {}, 'method': 'GET', 'headers': {'User-Agent': 'aws-cli/2.1.27 Python/3.9.1 Darwin/19.6.0 source/x86_64 prompt/off command/eks.update-kubeconfig'}, 'body': b'', 'url': 'https://eks.eu-west-3.amazonaws.com/clusters/MyClusterEks', 'context': {'client_region': 'eu-west-3', 'client_config': <botocore.config.Config object at 0x10cd22a30>, 'has_streaming_input': False, 'auth_type': None}}
2021-02-19 11:05:00,303 - MainThread - botocore.hooks - DEBUG - Event request-created.eks.DescribeCluster: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x10cd22a00>>
2021-02-19 11:05:00,303 - MainThread - botocore.hooks - DEBUG - Event choose-signer.eks.DescribeCluster: calling handler <function set_operation_specific_signer at 0x10b249040>
2021-02-19 11:05:00,303 - MainThread - botocore.auth - DEBUG - Calculating signature using v4 auth.
2021-02-19 11:05:00,304 - MainThread - botocore.auth - DEBUG - CanonicalRequest:
GET
/clusters/MyClusterEks

host:eks.eu-west-3.amazonaws.com
x-amz-date:20210219T100500Z

host;x-amz-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
2021-02-19 11:05:00,304 - MainThread - botocore.auth - DEBUG - StringToSign:
AWS4-HMAC-SHA256
20210219T100500Z
20210219/eu-west-3/eks/aws4_request
aab55e52d160b77ee83b16f6a87df34987d14395f49f7dce907f4feacafc3619
2021-02-19 11:05:00,304 - MainThread - botocore.auth - DEBUG - Signature:
2166c5eb5703f8f591c28f3992c160bbb190181eb7107ad61868395d5f58a433
2021-02-19 11:05:00,304 - MainThread - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=GET, url=https://eks.eu-west-3.amazonaws.com/clusters/MyClusterEks, headers={'User-Agent': b'aws-cli/2.1.27 Python/3.9.1 Darwin/19.6.0 source/x86_64 prompt/off command/eks.update-kubeconfig', 'X-Amz-Date': b'20210219T100500Z', 'Authorization': b'AWS4-HMAC-SHA256 Credential=XXXXXXXXXXXXXXXXXX/20210219/eu-west-3/eks/aws4_request, SignedHeaders=host;x-amz-date, Signature=2166c5eb5703f8f591c28f3992c160bbb190181eb7107ad61868395d5f58a433'}>
2021-02-19 11:05:00,305 - MainThread - botocore.httpsession - DEBUG - Certificate path: /usr/local/Cellar/awscli/2.1.27/libexec/lib/python3.9/site-packages/botocore/cacert.pem
2021-02-19 11:05:00,305 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): eks.eu-west-3.amazonaws.com:443
2021-02-19 11:05:00,376 - MainThread - urllib3.connectionpool - DEBUG - https://eks.eu-west-3.amazonaws.com:443 "GET /clusters/MyClusterEks HTTP/1.1" 403 186
2021-02-19 11:05:00,376 - MainThread - botocore.parsers - DEBUG - Response headers: {'Date': 'Fri, 19 Feb 2021 10:05:00 GMT', 'Content-Type': 'application/json', 'Content-Length': '186', 'Connection': 'keep-alive', 'x-amzn-RequestId': 'fd499ad2-a896-4df0-be32-6e56c34c3faa', 'x-amzn-ErrorType': 'AccessDeniedException', 'x-amz-apigw-id': 'a_MD8Fg4CGYFfxQ=', 'X-Amzn-Trace-Id': 'Root=1-602f8d4c-31afc22a7b2d8828457ae09b'}
2021-02-19 11:05:00,377 - MainThread - botocore.parsers - DEBUG - Response body:
b'{"Message":"User: arn:aws:iam::XXXXXXXXXX:user/devops is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:eu-west-3:XXXXXXXXXX:cluster/MyClusterEks"}'
2021-02-19 11:05:00,378 - MainThread - botocore.hooks - DEBUG - Event needs-retry.eks.DescribeCluster: calling handler <bound method RetryHandler.needs_retry of <botocore.retries.standard.RetryHandler object at 0x10cd67430>>
2021-02-19 11:05:00,378 - MainThread - botocore.retries.standard - DEBUG - Not retrying request.
2021-02-19 11:05:00,378 - MainThread - botocore.hooks - DEBUG - Event after-call.eks.DescribeCluster: calling handler <bound method RetryQuotaChecker.release_retry_quota of <botocore.retries.standard.RetryQuotaChecker object at 0x10cd22f70>>
2021-02-19 11:05:00,378 - MainThread - awscli.clidriver - DEBUG - Exception caught in main()
Traceback (most recent call last):
  File "/usr/local/Cellar/awscli/2.1.27/libexec/lib/python3.9/site-packages/awscli/clidriver.py", line 457, in main
    return command_table[parsed_args.command](remaining, parsed_args)
  File "/usr/local/Cellar/awscli/2.1.27/libexec/lib/python3.9/site-packages/awscli/clidriver.py", line 586, in __call__
    return command_table[parsed_args.operation](remaining, parsed_globals)
  File "/usr/local/Cellar/awscli/2.1.27/libexec/lib/python3.9/site-packages/awscli/customizations/commands.py", line 191, in __call__
    rc = self._run_main(parsed_args, parsed_globals)
  File "/usr/local/Cellar/awscli/2.1.27/libexec/lib/python3.9/site-packages/awscli/customizations/eks/update_kubeconfig.py", line 122, in _run_main
    new_cluster_dict = client.get_cluster_entry()
  File "/usr/local/Cellar/awscli/2.1.27/libexec/lib/python3.9/site-packages/awscli/customizations/eks/update_kubeconfig.py", line 276, in get_cluster_entry
    cert_data = self._get_cluster_description().get("certificateAuthority",
  File "/usr/local/Cellar/awscli/2.1.27/libexec/lib/python3.9/site-packages/awscli/customizations/eks/update_kubeconfig.py", line 258, in _get_cluster_description
    full_description = client.describe_cluster(name=self._cluster_name)
  File "/usr/local/Cellar/awscli/2.1.27/libexec/lib/python3.9/site-packages/botocore/client.py", line 249, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/local/Cellar/awscli/2.1.27/libexec/lib/python3.9/site-packages/botocore/client.py", line 568, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the DescribeCluster operation: User: arn:aws:iam::XXXXXXXXXX:user/devops is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:eu-west-3:XXXXXXXXXX:cluster/MyClusterEks

An error occurred (AccessDeniedException) when calling the DescribeCluster operation: User: arn:aws:iam::XXXXXXXXXX:user/devops is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:eu-west-3:XXXXXXXXXX:cluster/MyClusterEks

@hanfi
Copy link
Author

hanfi commented Feb 19, 2021

to reproduce :

  • Create a role that can do EKS (in my case role/CICD)
  • create a IAM user (in my case called user/devops) that can only assume a role (in my case role/CICD):
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::*:role/CICD"
        }
    ]
}

while you are your user (in my case called user/devops) :
run :

aws eks update-kubeconfig --name MyClusterEks --region eu-west-3 --role-arn arn:aws:iam::XXXXXXXXXX:role/CICD

the command doesn't use the provided role-arn to perform eks:DescribeCluster. it uses the user without assuming the role.

@fumanne
Copy link

fumanne commented Feb 20, 2021
edited
Loading

Also meet this problem.
my case:

  1. login in with user named AAA ( user AAA is under top account ID )
  2. switch role named AProject-Ops (AProject-Ops role is under sub account ID)
  3. use AProject-Ops to create eks cluster (AProject-Ops is admin authority except IAM )
  4. generate access key for AAA user
  5. type aws eks --region ap-east-1 update-kubeconfig --name aws-hongkong-k8s --role-arn arn:aws:iam::xxxxx:role/AProject-Ops
    An error occurred (UnrecognizedClientException) when calling the DescribeCluster operation: The security token included in the request is invalid.

how to sovled it ?

@gstevens-kyriba
Copy link

I had that problem, had to add the profile

aws eks --region us-east-1 update-kubeconfig --name dev-01 --profile engr --role-arn arn:aws:iam::xxxx:role/eks-operator-role

@prashant-shahi
Copy link

@kdaily This issue is still there. How do I resolve it?

@kdaily kdaily self-assigned this May 21, 2021
@kdaily kdaily added bug This issue is a bug. and removed closed-for-staleness response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. labels May 21, 2021
@pavankumar-go
Copy link

pavankumar-go commented Jun 21, 2021
edited
Loading

Same here,

aws eks --region ap-south-1 update-kubeconfig --name=test

An error occurred (AccessDeniedException) when calling the DescribeCluster operation: User: arn:aws:iam::REDACTED:user/redacted.redacted is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:ap-south-1:REDACTED:cluster/test with an explicit deny

the user is directly attacted with inline policy containing following json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eks:DescribeCluster",
                "eks:ListClusters"
            ],
            "Resource": "*"
        }
    ]
}

@gitaacademy
Copy link

Having the same issue
An error occurred (AccessDeniedException) when calling the DescribeCluster operation: User::

Please help if possible

@pavankumar-go
Copy link

pavankumar-go commented Aug 16, 2021
edited
Loading

@gitaacademy Check to see if there's a policy statement DenyaAllActionsIfNot... exist in any policy attached to that user
If there's such policy statement exists and check for this action DescribeCluster if it does not listed add it to the action block.
In my case it was DenyAllIfNotMFA which didn't had DescribeCluster action
So authenticating using awscli with mfa worked https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/#:~:text=It's%20a%20best%20practice%20to,must%20create%20a%20temporary%20session.

@demisx
Copy link

demisx commented Aug 25, 2021

Same issue here. I don’t have MFA enabled. Please reopen.

@pavankumar-go
Copy link

@demisx updated my comment, hope that helps.

@tim-finnigan tim-finnigan mentioned this issue Sep 10, 2021
Closed
2 tasks
@artakvg
Copy link

artakvg commented Dec 6, 2022

Any updates on how to fix this issue ?

@xcompass xcompass mentioned this issue Feb 28, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kdaily kdaily

Labels
bug This issue is a bug. customization Issues related to CLI customizations (located in /awscli/customizations) eks-kubeconfig needs-reproduction This issue needs reproduction.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@kdaily @hanfi @artakvg @demisx @fumanne @prashant-shahi @gstevens-kyriba @pavankumar-go @gitaacademy