Problem with IAM role

Question

Greetings,

We have been trying to integrate aws ex with a third party solution (prisma cloud compute protection) for a long time.
It is properly up and running EKS, however when we follow the integration steps
https://docs.paloaltonetworks.com/prisma/prisma-cloud/30/prisma-cloud-compute-edition-admin/install/deploy-console/console-on-kubernetes
on step 3: $ kubectl create -f twistlock_console.yaml
we constantly get this error that we don't understand and can't solve:
1. [ec2-user@ip-172-31-92-218 prisma_cloud]$ kubectl create -f twistlock_console.yaml
The connection to the server localhost:8080 was refused - did you specify the right host or port?

2. [ec2-user@ip-172-31-92-218 prisma_cloud]$ aws ex update-kubeconfig \
> --region us-east-1 \
> --name ex-cluster \
> --role-arn arn:aws:iam::269721186581:role/eks-cluster-polisa-new
Added new context arn:aws:eks:us-east-1:269721186581:cluster/eks-cluster to /home/ec2-user/.kube/config
3. The error we get when we repeat the command
  kubectl create -f twistlock_console.yaml

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::269721186581:assumed-role/eks-worker-node-policy/i-03026de103a4602e7 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::269721186581:role/eks-cluster-polisa-new
Unable to connect to the server: getting credentials: exec: executable aws failed with exit code 254
[ec2-user@ip-172-31-92-218 prisma_cloud]$

Please, help us, what to look to solve this problem.
Thank you in advance

Answer

Make sure that the role is allowed to be assumed by EC2 instances with a trust profile such as this:

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
```

Problem with IAM role

Relevant content