Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

pods is forbidden: using SSO PowerUserAccess

0

Hello there,

We are using SSO for Azure (EntraID) and we have some permission sets attached to some of the users we label them as "PowerDevelopers" and they have the PowerUserAccess Managed AWS Policy attached.

When navigating to EKS > Cluster Name > Resources - we are presented with the following error:

Error loading resources pods is forbidden: User "arn:aws:iam::accountnumberhere:role/AWSReservedSSO_PowerDeveloper_randomnumbershere" cannot list resource "pods" in API group "" at the cluster scope

It seems to work fine as Administrator but I'd expect that as everything is allowed, I've tried adding an inline policy or creating a customer managed policy with the following:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"eks:ListFargateProfiles",
				"eks:DescribeNodegroup",
				"eks:ListNodegroups",
				"eks:ListUpdates",
				"eks:AccessKubernetesApi",
				"eks:ListAddons",
				"eks:DescribeCluster",
				"eks:DescribeAddonVersions",
				"eks:ListClusters",
				"eks:ListIdentityProviderConfigs",
				"iam:ListRoles"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": "ssm:GetParameter",
			"Resource": "arn:aws:ssm:*:accountnumber:parameter/*"
		}
	]
}

But this doesn't seem to change anything, does anyone have any guidance on permissions, I've been through a few articles online but none of which seem to help me so far.

Thanks in advance for any help,

Zack

Argomenti
Sicurezza, identità e conformitàContainer
Tag
Gestione identità e accesso AWSServizio Amazon Elastic KubernetesAmazon EKS AnywhereAmazon EKS Distro
Lingua
English
Zack Goodger
posta 2 mesi fa199 visualizzazioni
2 Risposte
0

To fix this, you'll need to ensure that the IAM role associated with the "PowerDevelopers" group has the right permissions for EKS access. This might involve modifying the existing PowerUserAccess policy or creating a custom policy that grants the required permissions.

Once you've updated the permissions, test access again to make sure users in the "PowerDevelopers" group can now list pods and other resources without any errors.

Remember to regularly review and update IAM policies to ensure users have the appropriate permissions for their roles.

By following these steps, you should be able to resolve the permissions issue and allow smooth access to resources in your EKS cluster for your "PowerDevelopers" group. If you need further assistance, consider reaching out to AWS support for guidance.

profile picture
ESPERTO
Giovanni Lauria
con risposta un mese fa
0

I logged a support ticket with AWS, seems the answer is this:

https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html#creating-access-entries

So in my particular example it was:

Console > EKS > Cluster > Access (This is in the middle on the tabs bar) > IAM Access Entries > Create Access Entry.

Then within the menu here:

IAM Principle ARN: this would be AWSReservedSSO_PowerDeveloperAccess_uniqueid

I presume if your doing it via AWS CLI you can follow the CLI instructions and may need to full arn.

Type: Standard

Add any tags if you wish

Then select next add the policy you wish to apply and the access scope and test on the PowerDeveloper Role.

Zack Goodger
con risposta un mese fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente