Code build role is not authorized to perform: sts:AssumeRole on resource

0

I have a code build leading to EKS. When it calls this particular command "CREDENTIALS=$(aws sts assume-role --role-arn arn:aws:iam::3318******:role/EksWorkshopCodeBuildKubectlRole --role-session-name code-build --duration-seconds 900)" I get an error "An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::331*****:assumed-role/codebuild-kubernetes-eks-service-role/AWSCodeBuild-31746234-c1a9-4fe9-9cbc-b0d54264613e is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::331879450537:role/EksWorkshopCodeBuildKubectlRole"

My code build trusted relationship looks like { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": {} } ] } I have an STS policy attached to my user, group, codebuils service role and eksworkshopkubectlrole. What could I be doing wrong

2回答
0

As per the documentation https://docs.aws.amazon.com/codebuild/latest/userguide/troubleshooting.html#troubleshooting-assume-role, the issue could be either STS is not active for the AWS region or CodeBuild service role associated with the build project does not exist or does not have sufficient permissions to trust CodeBuild.

akjone
回答済み 1年前
0

Would it work if you modify the trusted relationship as follows?

Before

"Principal": { "Service": "codebuild.amazonaws.com" }, 

After

"Principal": { "AWS": "arn:aws:iam::331879450537:role/codebuild-kubernetes-eks-service-role" }, 

I think that the principal that call the AssumeRole operation is not codebuild, but codebuild-kubernetes-eks-service-role. Of course, codebuild-kubernetes-eks-service-role must have permission to call assume role too.

imiky
回答済み 1年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ