By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

pods is forbidden: using SSO PowerUserAccess

0

Hello there,

We are using SSO for Azure (EntraID) and we have some permission sets attached to some of the users we label them as "PowerDevelopers" and they have the PowerUserAccess Managed AWS Policy attached.

When navigating to EKS > Cluster Name > Resources - we are presented with the following error:

Error loading resources pods is forbidden: User "arn:aws:iam::accountnumberhere:role/AWSReservedSSO_PowerDeveloper_randomnumbershere" cannot list resource "pods" in API group "" at the cluster scope

It seems to work fine as Administrator but I'd expect that as everything is allowed, I've tried adding an inline policy or creating a customer managed policy with the following:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"eks:ListFargateProfiles",
				"eks:DescribeNodegroup",
				"eks:ListNodegroups",
				"eks:ListUpdates",
				"eks:AccessKubernetesApi",
				"eks:ListAddons",
				"eks:DescribeCluster",
				"eks:DescribeAddonVersions",
				"eks:ListClusters",
				"eks:ListIdentityProviderConfigs",
				"iam:ListRoles"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": "ssm:GetParameter",
			"Resource": "arn:aws:ssm:*:accountnumber:parameter/*"
		}
	]
}

But this doesn't seem to change anything, does anyone have any guidance on permissions, I've been through a few articles online but none of which seem to help me so far.

Thanks in advance for any help,

Zack

Topics
Security, Identity, & ComplianceContainers
Tags
AWS Identity and Access ManagementAmazon Elastic Kubernetes ServiceAmazon EKS AnywhereAmazon EKS Distro
Language
English
Zack Goodger
asked 2 months ago180 views
2 Answers
0

To fix this, you'll need to ensure that the IAM role associated with the "PowerDevelopers" group has the right permissions for EKS access. This might involve modifying the existing PowerUserAccess policy or creating a custom policy that grants the required permissions.

Once you've updated the permissions, test access again to make sure users in the "PowerDevelopers" group can now list pods and other resources without any errors.

Remember to regularly review and update IAM policies to ensure users have the appropriate permissions for their roles.

By following these steps, you should be able to resolve the permissions issue and allow smooth access to resources in your EKS cluster for your "PowerDevelopers" group. If you need further assistance, consider reaching out to AWS support for guidance.

profile picture
EXPERT
Giovanni Lauria
answered 23 days ago
0

I logged a support ticket with AWS, seems the answer is this:

https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html#creating-access-entries

So in my particular example it was:

Console > EKS > Cluster > Access (This is in the middle on the tabs bar) > IAM Access Entries > Create Access Entry.

Then within the menu here:

IAM Principle ARN: this would be AWSReservedSSO_PowerDeveloperAccess_uniqueid

I presume if your doing it via AWS CLI you can follow the CLI instructions and may need to full arn.

Type: Standard

Add any tags if you wish

Then select next add the policy you wish to apply and the access scope and test on the PowerDeveloper Role.

Zack Goodger
answered 16 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content