Assumed role is not authorized to perform, sts:AssumeRole on resource

0

Hi, I need to keep minimum privilege access to Amazon Simple Systems Management at the pod level in Amazon Elastic Kubernetes Service (Amazon EKS) from my application with AWS Identity and Access Management (IAM) roles for service accounts (IRSA).

** IAM policy and role**

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ssm:DescribeParameters",
                "ssm:GetParameterHistory",
                "ssm:DescribeDocumentParameters",
                "ssm:GetParametersByPath",
                "ssm:GetParameters",
                "ssm:GetParameter"
            ],
            "Resource": "*"
        }
    ]
}

Trusted entities

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::234695550184:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/XYZ652C28241B8E83EA131BAB6C7F389"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "oidc.eks.us-west-2.amazonaws.com/id/XYZ652C28241B8E83EA131BAB6C7F389:aud": "sts.amazonaws.com",
                    "oidc.eks.us-west-2.amazonaws.com/id/XYZ652C28241B8E83EA131BAB6C7F389:sub": "system:serviceaccount:default:test-service-account"
                }
            }
        }
    ]
}

Also, I have annotated the role to cluster's service account. I have verified that annotation using following command.

kubectl describe serviceaccount test-service-account -n default

I have got the following result,

Name:                        test-service-account
Namespace:               default
Labels:                       app.kubernetes.io/managed-by=eksctl
Annotations:             eks.amazonaws.com/role-arn: arn:aws:iam::123612345184:role/test-role
Image pull secrets:   <none>
Mountable secrets:   <none>
Tokens:                      <none>
Events:                       <none>

Configure a Pod to use a service account

We used the below yaml to configurer

cat >my-deployment-11.yaml <<EOF
apiVersion: batch/v1
kind: CronJob
metadata:
  name: "test-cronjob-1"
spec:
  schedule: "*/3 * * * *"
  jobTemplate:
    spec:
      template:
        spec:
          serviceAccountName: test-service-account
          affinity:
            nodeAffinity:
              requiredDuringSchedulingIgnoredDuringExecution:
                nodeSelectorTerms:
                  - matchExpressions:
                      - key: eks.amazonaws.com/nodegroup
                        operator: In
                        values:
                          - jrm-node-group-1       
          imagePullSecrets:
            - name: jrm-secret-name
          containers:
            - name: snapshotter
              image: 436692850155.dkr.ecr.us-west-2.amazonaws.com/jrm_snapshotter:qa_testdb07
              imagePullPolicy: Always
          restartPolicy: OnFailure          
EOF

using SDK and C# to get assumeRoleResponse

 var assumeRoleRequest = new AssumeRoleRequest
        {
            RoleArn = "arn:aws:iam::245692850184:role/my-role",
            RoleSessionName = "my-role",
            DurationSeconds = 900, // Adjust the duration as needed
        };

        var stsClient = new Amazon.SecurityToken.AmazonSecurityTokenServiceClient(new AmazonSecurityTokenServiceConfig
        {
            RegionEndpoint = Amazon.RegionEndpoint.GetBySystemName(region)
        });

        var assumeRoleResponse = stsClient.AssumeRoleAsync(assumeRoleRequest).GetAwaiter().GetResult();

when cronjob ran our application, we got the below exception Enter image description here

Thanks

1 Answer
0

Hi,

On the role you want to assume arn:aws:iam::245692850184:role/my-role

Add policy

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "AWS": "arn:aws:iam::123612345184:role/test-role”
        },
        "Action": "sts:AssumeRole"
      }
    ]
  }
profile picture
EXPERT
answered 25 days ago
  • Thank you for the heads-up, but the role he is trying to assume is different from the one he has been assigned by the IRSA.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions