创建 EKS 集群时出现 OpenIDC 错误

0

【以下的问题经过翻译处理】 我正在从头开始创建 EKS 集群,但每次创建时都会出现以下错误: 2023-03-28 15:08:05 [✖] 创建 OIDC 提供商:操作错误 IAM:

CreateOpenIDConnectProvider, https response error StatusCode: 403, RequestID: bacf7543-bfe0-4b1c-982e-a81e61cef1c7, api error AccessDenied: User: arn:aws:sts::*:assumed-role/DEV-EC2-JenkinsMaster-Instance/i-09f8b9ad4eb5hhh09 is not authorized to perform: iam:TagOpenIDConnectProvider on resource: arn:aws:iam::*:oidc-provider/oidc.eks.us-east-1.amazonaws.com because no identity-based policy allows the iam:TagOpenIDConnectProvider action

经过大量的努力和寻找,我发现了我已经制定的以下策略。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:DeleteInternetGateway",
            "Resource": "arn:aws:ec2:*:*:internet-gateway/*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:ModifyListener",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:DescribeInstances",
                "ec2:AttachInternetGateway",
                "ec2:DeleteRouteTable",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:CreateRoute",
                "ec2:CreateInternetGateway",
                "ec2:DescribeVolumes",
                "ec2:DeleteInternetGateway",
                "ec2:DescribeKeyPairs",
                "iam:GetRole",
                "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
                "ec2:ImportKeyPair",
                "ec2:CreateTags",
                "elasticloadbalancing:CreateTargetGroup",
                "ecr:GetAuthorizationToken",
                "ec2:RunInstances",
                "ec2:DisassociateRouteTable",
                "ec2:CreateVolume",
                "ec2:RevokeSecurityGroupIngress",
                "elasticloadbalancing:AddTags",
                "ec2:DescribeImageAttribute",
                "elasticloadbalancing:DeleteLoadBalancerListeners",
                "ec2:DeleteNatGateway",
                "autoscaling:DeleteAutoScalingGroup",
                "ec2:CreateSubnet",
                "ec2:DescribeSubnets",
                "elasticloadbalancing:ModifyLoadBalancerAttributes",
                "ecr:InitiateLayerUpload",
                "ec2:AttachVolume",
                "ec2:CreateNatGateway",
                "ec2:CreateVpc",
                "ecr:ListImages",
                "ec2:DescribeVpcAttribute",
                "ec2:ModifySubnetAttribute",
                "autoscaling:DescribeScalingActivities",
                "ec2:DescribeAvailabilityZones",
                "ssm:GetParametersByPath",
                "elasticloadbalancing:CreateLoadBalancerPolicy",
                "ec2:ReleaseAddress",
                "ec2:DeleteLaunchTemplate",
                "elasticloadbalancing:CreateLoadBalancer",
                "elasticloadbalancing:DeleteTargetGroup",
                "ec2:DescribeSecurityGroups",
                "autoscaling:CreateLaunchConfiguration",
                "ec2:CreateLaunchTemplate",
                "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
                "ec2:DescribeVpcs",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DeleteListener",
                "elasticloadbalancing:DetachLoadBalancerFromSubnets",
                "ec2:DeleteSubnet",
                "elasticloadbalancing:RegisterTargets",
                "ec2:DescribeVolumesModifications",
                "ssm:GetParameter",
                "ec2:AssociateRouteTable",
                "elasticloadbalancing:DeleteLoadBalancer",
                "ec2:DescribeInternetGateways",
                "elasticloadbalancing:DescribeLoadBalancers",
                "ec2:DeleteVolume",
                "ssm:DeleteParameter",
                "ssm:DescribeParameters",
                "autoscaling:DescribeAutoScalingGroups",
                "elasticloadbalancing:DescribeLoadBalancerPolicies",
                "autoscaling:UpdateAutoScalingGroup",
                "ec2:DescribeAccountAttributes",
                "elasticloadbalancing:ModifyTargetGroupAttributes",
                "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
                "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
                "ec2:DescribeRouteTables",
                "ecr:BatchCheckLayerAvailability",
                "ec2:DetachVolume",
                "ec2:ModifyVolume",
                "ec2:DescribeLaunchTemplates",
                "ecr:GetDownloadUrlForLayer",
                "ec2:CreateRouteTable",
                "cloudformation:*",
                "elasticloadbalancing:DeregisterTargets",
                "ec2:DetachInternetGateway",
                "ssm:GetParameters",
                "ssm:DeleteParameters",
                "ecr:PutImage",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "ssm:PutParameter",
                "elasticloadbalancing:DescribeTargetGroupAttributes",
                "ecr:BatchGetImage",
                "ecr:DescribeImages",
                "ec2:DeleteVpc",
                "eks:*",
                "autoscaling:CreateAutoScalingGroup",
                "ec2:DescribeAddresses",
                "ec2:DeleteTags",
                "elasticloadbalancing:ConfigureHealthCheck",
                "autoscaling:DescribeLaunchConfigurations",
                "ec2:DescribeDhcpOptions",
                "ecr:UploadLayerPart",
                "elasticloadbalancing:CreateListener",
                "elasticloadbalancing:DescribeListeners",
                "ec2:DescribeNetworkInterfaces",
                "ec2:CreateSecurityGroup",
                "ecr:CompleteLayerUpload",
                "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
                "kms:DescribeKey",
                "ecr:DescribeRepositories",
                "ec2:ModifyVpcAttribute",
                "ec2:ModifyInstanceAttribute",
                "ec2:AuthorizeSecurityGroupEgress",
                "elasticloadbalancing:AttachLoadBalancerToSubnets",
                "ec2:DescribeTags",
                "ssm:GetParameterHistory",
                "ec2:DeleteRoute",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:DescribeNatGateways",
                "elasticloadbalancing:CreateLoadBalancerListeners",
                "ec2:AllocateAddress",
                "ec2:DescribeImages",
                "autoscaling:DeleteLaunchConfiguration",
                "ec2:DeleteSecurityGroup",
                "elasticloadbalancing:DescribeTargetHealth",
                "elasticloadbalancing:ModifyTargetGroup"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
                }
            }
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": [
                "iam:CreateInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:GetRole",
                "iam:GetInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy",
                "iam:ListInstanceProfiles",
                "iam:AddRoleToInstanceProfile",
                "iam:CreateOpenIDConnectProvider",
                "iam:ListInstanceProfilesForRole",
                "iam:PassRole",
                "iam:CreateServiceLinkedRole",
                "iam:DetachRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:DeleteRolePolicy",
                "iam:DeleteServiceLinkedRole",
                "iam:GetRolePolicy"
            ],
            "Resource": [
                "arn:aws:iam::*:instance-profile/eksctl-*",
                "arn:aws:iam::*:role/eksctl-*",
                "arn:aws:iam::*:role/aws-service-role/eks.amazonaws.com/*",
                "arn:aws:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/*",
                "arn:aws:iam::*:oidc-provider/*"
            ]
        },
        {
            "Sid": "VisualEditor4",
            "Effect": "Allow",
            "Action": "iam:GetOpenIDConnectProvider",
            "Resource": "arn:aws:iam::*:oidc-provider/oidc.eks.eu-west-1.amazonaws.com/*"
        }
    ]
}

那我错过了什么?

profile picture
专家
已提问 3 个月前7 查看次数
1 回答
0

【以下的回答经过翻译处理】 你好,Systemgeek,

根据所发布的错误消息,看起来操作失败是因为你的IAM角色 DEV-EC2-JenkinsMaster-Instance 没有执行 iam:TagOpenIDConnectProvider 操作的权限。

在提供的策略声明中,不允许执行 iam:TagOpenIDConnectProvider 操作。要解决这个问题,请将该操作添加到你的IAM策略中,然后重新执行操作。

有关使用eksctl CLI创建EKS集群所需的最小IAM策略的更多信息,请访问https://eksctl.io/usage/minimum-iam-policies/

希望这可以帮助到你!

profile picture
专家
已回答 3 个月前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则