pods is forbidden: using SSO PowerUserAccess

Question

Hello there,

We are using SSO for Azure (EntraID) and we have some permission sets attached to some of the users we label them as "PowerDevelopers" and they have the PowerUserAccess Managed AWS Policy attached.

When navigating to EKS > Cluster Name > Resources - we are presented with the following error:

Error loading resources
pods is forbidden: User "arn:aws:iam::accountnumberhere:role/AWSReservedSSO_PowerDeveloper_randomnumbershere" cannot list resource "pods" in API group "" at the cluster scope

It seems to work fine as Administrator but I'd expect that as everything is allowed, I've tried adding an inline policy or creating a customer managed policy with the following:

```
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"eks:ListFargateProfiles",
				"eks:DescribeNodegroup",
				"eks:ListNodegroups",
				"eks:ListUpdates",
				"eks:AccessKubernetesApi",
				"eks:ListAddons",
				"eks:DescribeCluster",
				"eks:DescribeAddonVersions",
				"eks:ListClusters",
				"eks:ListIdentityProviderConfigs",
				"iam:ListRoles"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": "ssm:GetParameter",
			"Resource": "arn:aws:ssm:*:accountnumber:parameter/*"
		}
	]
}
```
But this doesn't seem to change anything, does anyone have any guidance on permissions, I've been through a few articles online but none of which seem to help me so far.

Thanks in advance for any help,

Zack

Answer

To fix this, you'll need to ensure that the IAM role associated with the "PowerDevelopers" group has the right permissions for EKS access. This might involve modifying the existing PowerUserAccess policy or creating a custom policy that grants the required permissions.

Once you've updated the permissions, test access again to make sure users in the "PowerDevelopers" group can now list pods and other resources without any errors.

Remember to regularly review and update IAM policies to ensure users have the appropriate permissions for their roles.

By following these steps, you should be able to resolve the permissions issue and allow smooth access to resources in your EKS cluster for your "PowerDevelopers" group. If you need further assistance, consider reaching out to AWS support for guidance.

Answer

I logged a support ticket with AWS, seems the answer is this:

https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html#creating-access-entries

So in my particular example it was:

Console > EKS > Cluster > Access (This is in the middle on the tabs bar) > IAM Access Entries > Create Access Entry.

Then within the menu here:

IAM Principle ARN: this would be AWSReservedSSO_PowerDeveloperAccess_uniqueid

I presume if your doing it via AWS CLI you can follow the CLI instructions and may need to full arn.

Type: Standard

Add any tags if you wish

Then select next add the policy you wish to apply and the access scope and test on the PowerDeveloper Role.

pods is forbidden: using SSO PowerUserAccess

관련 콘텐츠