By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

EKS Deployments ACCESS DENIED

0

hi team

  1. I am using code pipeline and code build to create CICD

  2. my code build aim role is in prod

  3. The code build IAM role assuming another role in stage account

  4. In code build specs.yaml I am using below code, (assuming stage iam role that as EKS access)

CREDENTIALS=$(aws sts assume-role --role-arn $EKS_KUBECTL_ROLE_ARN --role-session-name codebuild-kubectl --duration-seconds 900) - export AWS_ACCESS_KEY_ID="$(echo ${CREDENTIALS} | jq -r '.Credentials.AccessKeyId')" - export AWS_SECRET_ACCESS_KEY="$(echo ${CREDENTIALS} | jq -r '.Credentials.SecretAccessKey')" - export AWS_SESSION_TOKEN="$(echo ${CREDENTIALS} | jq -r '.Credentials.SessionToken')" - export AWS_EXPIRATION=$(echo ${CREDENTIALS} | jq -r '.Credentials.Expiration') - $(aws ecr get-login --no-include-email) - aws eks update-kubeconfig --name $EKS_CLUSTER - export KUBECONFIG=$HOME/.kube/config - cat $HOME/.kube/config

  1. Able to access EKS , get context is showing our stage cluster, kubectl get svc is also working

  2. but kubectl get deployments is giving below error

could not get information about the resource Deployment "management-service" in namespace "namespace": deployments.apps "management-service" is forbidden: User "system:node:codebuild-kubectl" cannot get resource "deployments" in API group "apps" in the namespace "namespace"

  1. mapped both stage and prod aim roles in aws-auth cm and given system:masters group
Topics
Developer ToolsContainersSecurity, Identity, & ComplianceCompute
Tags
AWS CodeBuildAWS CodePipelineAmazon Elastic Kubernetes ServiceIAM PoliciesKubernetes
Language
English
swamy
asked 15 days ago212 views
3 Answers
0

I see, based on the additional information you provided, it seems like the issue might be related to the Kubernetes RBAC configuration in the "aws-auth" ConfigMap.

Even though the IAM role in the stage account has the necessary permissions to access the EKS resources, the Kubernetes RBAC configuration might not be granting the appropriate permissions to the "system:node:codebuild-kubectl" user.

Here are a few things you can try:

Verify the Kubernetes RBAC configuration: Double-check the "aws-auth" ConfigMap in the stage EKS cluster to ensure that the IAM role is correctly mapped to the appropriate Kubernetes role or ClusterRole with the necessary permissions to access the "deployments" resource in the "namespace" namespace. [1]

Try using a different Kubernetes role: Instead of mapping the IAM role to the "system:masters" group, try mapping it to a more specific Kubernetes role or ClusterRole that has the necessary permissions to access the "deployments" resource. You can create a custom Kubernetes role or ClusterRole with the required permissions and then map the IAM role to it. [2]

Check the Kubernetes version: Ensure that the Kubernetes version of your stage EKS cluster is compatible with the version of Kubernetes used by the CodeBuild project. If there's a mismatch, it could cause issues with the permissions and access.

Troubleshoot the CodeBuild project: Review the CodeBuild project logs to see if there are any additional clues or error messages that could help identify the root cause of the issue.

Try using the AWS CLI directly: Instead of using the "aws sts assume-role" command in the CodeBuild project, try using the AWS CLI directly to interact with the EKS cluster and see if you encounter the same issue. This can help you isolate the problem and determine if it's specific to the CodeBuild project or the IAM role assumption. [3]

If you're still having trouble, you can refer to the AWS documentation for more information on Kubernetes RBAC, troubleshooting EKS access, and troubleshooting CodeBuild issues:

Enabling IAM principal access to your cluster - Amazon EKS

Granting access to an IAM principal to view Kubernetes resources on a cluster - Amazon EKS

Troubleshooting CodeBuild

Let me know if you have any other questions!

Sources [1] AWS.Compute.EKS.AuthRole - AWS Telco Network Builder https://docs.aws.amazon.com/tnb/latest/ug/node-eks-authrole.html [2] Amazon EKS node IAM role - Amazon EKS https://docs.aws.amazon.comekslatestcreate-node-role.html [3] Adding the account connection and IAM roles to your deploy environment - Amazon CodeCatalyst https://docs.aws.amazon.comcodecatalystlatestipa-connect-account-addroles-env.html

profile pictureAWS
AWS-User-4441565
answered 14 days ago
  • swamy
    14 days ago
    1. kubectl version

    Client Version: version.Info{Major:"1", Minor:"14+", GitVersion:"v1.14.7-eks-1861c5", GitCommit:"1861c597586f84f1498a9f2151c78d8a6bf47814", GitTreeState:"clean", BuildDate:"2019-09-24T22:12:08Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"linux/amd64"} Server Version: version.Info{Major:"1", Minor:"29+", GitVersion:"v1.29.3-eks-adc7111", GitCommit:"c8f33fb3fdd7ee39809c260233424fb73ce1893b", GitTreeState:"clean", BuildDate:"2024-04-01T19:25:15Z", GoVersion:"go1.21.8", Compiler:"gc", Platform:"linux/amd64"}

    1. our stage and prod eks cluster version is 1.29

    2. i tried creating different cluster role still same issue

    3. here is my role had EKS cluster policy and below is my trust

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "eks-fargate-pods.amazonaws.com" }, "Action": "sts:AssumeRole" }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::testid:root" }, "Action": "sts:AssumeRole", "Condition": {} }, { "Effect": "Allow", "Principal": { "Service": "eks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

  • swamy
    14 days ago

    here is my auth cm

    1. here is my auth apiVersion: v1 data: mapRoles: |
      • groups:
        • system:node rolearn: arn:aws:iam::*:role/eksctl-harc-qa-eks-cluster-FargatePodExecutionRole-PA1L8NJYG9T4 username: system:node:{{SessionName}}
      • groups:
        • system:node rolearn: arn:aws:iam::*:role/EKScicdIAMStack-CodeBuildServiceRole-crossAccountDeployment username: system:node:{{SessionName}} mapUsers: |
      • groups:
        • eks-console-dashboard-full-access-group userarn: arn:aws:iam::*:user/ username: system:node:{{SessionName}} kind: ConfigMap
  • swamy
    14 days ago

    and also what is the aws cli command to get deployments like kubectl

    1. i have cli installed after that i assumed role and did aws eks update kube config then running these commands still facing the issue
0

Based on the additional information you provided, it seems like the issue is related to the Kubernetes RBAC configuration in the "aws-auth" ConfigMap. [1]

First, let's address the version mismatch between the client and server versions. The client is using Kubernetes version 1.14.7, while the server is using version 1.29.3. This version mismatch could be causing compatibility issues and permission problems.

To resolve this, you should ensure that the CodeBuild project is using the same Kubernetes version as the EKS cluster. You can do this by either:

Updating the CodeBuild project to use the same Kubernetes version as the EKS cluster (1.29.3).

Updating the EKS cluster to use the same Kubernetes version as the CodeBuild project (1.14.7).

Next, let's look at the "aws-auth" ConfigMap configuration:

Verify the "mapRoles" section: Ensure that the IAM role assumed by the CodeBuild project (EKScicdIAMStack-CodeBuildServiceRole-crossAccountDeployment) is correctly mapped to the appropriate Kubernetes role or ClusterRole with the necessary permissions to access the "deployments" resource in the "namespace" namespace.

Check the "mapUsers" section: Verify that the "system:node:{{SessionName}}" user is correctly mapped to the appropriate Kubernetes role or ClusterRole with the necessary permissions.

Consider using a custom Kubernetes role: Instead of mapping the IAM role to the "system:masters" group, try creating a custom Kubernetes role or ClusterRole with the specific permissions required to access the "deployments" resource in the "namespace" namespace, and then map the IAM role to this custom role.

As for the AWS CLI command to get deployments, you can use the following command:

Insert at cursor ** aws eks get-deployments --cluster-name <cluster-name> --namespace <namespace>** This command will retrieve the deployments in the specified namespace for the given EKS cluster.

If you're still having trouble, you can refer to the following AWS documentation for more information:

Enabling IAM principal access to your cluster - Amazon EKS [2]

Granting access to an IAM principal to view Kubernetes resources on a cluster - Amazon EKS

Troubleshooting CodeBuild

Sources [1] Troubleshooting IAM - Amazon EKS https://docs.aws.amazon.comekslatestsecurity_iam_troubleshoot.html [2] Amazon EKS cluster IAM role - Amazon EKS https://docs.aws.amazon.comekslatestservice_IAM_role.html

the issue might be related to the Kubernetes RBAC configuration in the "aws-auth" ConfigMap.

Even though the IAM role in the stage account has the necessary permissions to access the EKS resources, the Kubernetes RBAC configuration might not be granting the appropriate permissions to the "system:node:codebuild-kubectl" user.

Here are a few things you can try:

Verify the Kubernetes RBAC configuration: Double-check the "aws-auth" ConfigMap in the stage EKS cluster to ensure that the IAM role is correctly mapped to the appropriate Kubernetes role or ClusterRole with the necessary permissions to access the "deployments" resource in the "namespace" namespace.

Try using a different Kubernetes role: Instead of mapping the IAM role to the "system:masters" group, try mapping it to a more specific Kubernetes role or ClusterRole that has the necessary permissions to access the "deployments" resource. You can create a custom Kubernetes role or ClusterRole with the required permissions and then map the IAM role to it. [1]

Check the Kubernetes version: Ensure that the Kubernetes version of your stage EKS cluster is compatible with the version of Kubernetes used by the CodeBuild project. If there's a mismatch, it could cause issues with the permissions and access.

Troubleshoot the CodeBuild project: Review the CodeBuild project logs to see if there are any additional clues or error messages that could help identify the root cause of the issue.

Try using the AWS CLI directly: Instead of using the "aws sts assume-role" command in the CodeBuild project, try using the AWS CLI directly to interact with the EKS cluster and see if you encounter the same issue. This can help you isolate the problem and determine if it's specific to the CodeBuild project or the IAM role assumption.

If you're still having trouble, you can refer to the AWS documentation for more information on Kubernetes RBAC, troubleshooting EKS access, and troubleshooting CodeBuild issues:

Enabling IAM principal access to your cluster - Amazon EKS

Granting access to an IAM principal to view Kubernetes resources on a cluster - Amazon EKS

Troubleshooting CodeBuild

Sources [1] Cross-account IAM permissions - Amazon EKS https://docs.aws.amazon.comekslatestcross-account-access.html

profile pictureAWS
AWS-User-4441565
answered 14 days ago
  • swamy
    14 days ago
    1. system:node:{{SessionName}} this used is not present in config map but i have a question i am using role and mapped under role aran still need to map under mapUsers?? if so what is the userarn for this?
  • swamy
    14 days ago

    and also there is no eks command like aws eks get-deployments

    Running command aws eks get-deployments --cluster-name $EKS_CLUSTER --namespace $NAMESPACE usage: Note: AWS CLI version 2, the latest major version of the AWS CLI, is now stable and recommended for general use. For more information, see the AWS CLI version 2 installation instructions at: https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html

    usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters] To see help text, you can run:

    aws help aws <command> help aws <command> <subcommand> help aws: error: argument operation: Invalid choice, valid choices are:

    associate-access-policy | associate-encryption-config
    associate-identity-provider-config | create-access-entry
    create-addon | create-cluster
    create-eks-anywhere-subscription | create-fargate-profile
    create-nodegroup | create-pod-identity-association
    delete-access-entry | delete-addon
    delete-cluster | delete-eks-anywhere-subscription
    delete-fargate-profile | delete-nodegroup
    delete-pod-identity-association | deregister-cluster
    describe-access-entry | describe-addon

0

The issue you're facing with the kubectl get deployments command is related to the permissions granted to the IAM role assumed by the CodeBuild job. Even though you've mapped the IAM roles in the aws-auth ConfigMap and granted the system:masters group access, it seems that the specific user "system:node:codebuild-kubectl" does not have the necessary permissions to access the "deployments" resource in the "namespace" namespace.

Here are a few things you can try to resolve this issue:

Verify the IAM role permissions: Ensure that the IAM role assumed by the CodeBuild job has the necessary permissions to access the Kubernetes resources in the "namespace" namespace. You can try adding the following permissions to the IAM role:

json

Insert at cursor

Copy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "eks:DescribeCluster", "eks:ListNodegroups", "eks:DescribeNodegroup", "eks:AccessKubernetesApi", "eks:ListFargateProfiles", "eks:DescribeFargateProfile" ], "Resource": [ "arn:aws:eks:::cluster/*" ] }, { ] } ] } Verify the aws-auth ConfigMap: Double-check the aws-auth ConfigMap to ensure that the IAM role is correctly mapped to the Kubernetes user "system:node:codebuild-kubectl". You can use the following command to view the aws-auth ConfigMap:

Insert at cursor

Copy kubectl get configmap -n kube-system aws-auth -o yaml Check for any additional RBAC rules: Ensure that there are no additional RBAC rules or policies that might be restricting the access of the "system:node:codebuild-kubectl" user to the "deployments" resource in the "namespace" namespace.

Verify the EKS cluster version: Make sure that the EKS cluster version is compatible with the Kubernetes resources you're trying to access. If the cluster is running an older version, you may need to update the cluster or adjust your code accordingly.

If you're still facing issues after trying these steps, please provide more information about your setup, such as the EKS cluster version, the IAM role permissions, and the contents of the aws-auth ConfigMap, and I'll be happy to assist you further.

profile pictureAWS
AWS-User-4441565
answered 15 days ago
  • swamy
    14 days ago
    1. i am using $(aws sts assume-role --role-arn $EKS_KUBECTL_ROLE_ARN --role-session-name codebuild-kubectl --duration-seconds 900)
    • this command i am running in codebuild in production account
    • and the role EKS_KUBECTL_ROLE_ARN this is in stage account
    • the above role in stage account already had all the access you specified in IAM for EKS
    • and this role only i mapped in stage eks aws-auth config map
    • with the same setup i am able to access service but not the deployments

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content