-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
eks update-kubeconfig command does not assume role #6389
Comments
Hi @carlosrodf, thanks for reaching out. Are you using a role with the IAM policy AmazonEKSClusterPolicy? I created a Amazon EKS cluster IAM role following the steps documented here, and was able to successfully run the command A similar issue was opened recently here: #5823. You could try following the steps suggested in this comment: #5823 (comment) |
Hi @tim-finnigan, in my case the IAM user is in a different AWS Account. Account A:
Account B:
The trust relationship between the role and the user works fine. I have tested assuming the role manually and it works. |
Hi @carlosrodf, thanks for following up. I found this blog post on enabling cross-account access to Amazon EKS cluster resources: https://aws.amazon.com/blogs/containers/enabling-cross-account-access-to-amazon-eks-cluster-resources/ Can you try following those steps and let us know if that works for you? |
Greetings! It looks like this issue hasn’t been active in longer than a week. We encourage you to check if this is still an issue in the latest release. Because it has been longer than a week since the last update on this, and in the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or add an upvote to prevent automatic closure, or if the issue is already closed, please feel free to open a new one. |
Confirm by changing [ ] to [x] below to ensure that it's a bug:
Describe the bug
When running
aws eks update-kubeconfig --name <CLUSTER_NAME> --role-arn <ROLE_ARN>
the command returns an access denied error:The IAM user has permissions to assume the role in question and the role has full access to EKS. I have confirmed the credentials in both user and role work by performing the steps manually:
aws eks update-kubeconfig...
againI report this as a bug because this command has the expected behaviour using the same IAM user and role
SDK version number
Platform/OS/Hardware/Device
aws-cli/2.2.3 Python/3.8.8 Linux/5.11.0-34-generic exe/x86_64.ubuntu.20 prompt/off
To Reproduce (observed behavior)
Steps to reproduce the behavior
Expected behavior
The command should assume the role specified by
--role-arn
and update~/.kube/config
fileLogs/output
The text was updated successfully, but these errors were encountered: