1 個回答
- 最新
- 最多得票
- 最多評論
1
Hi,
The user (or service like CloudFormation)( with which you're trying to pass this role to EKS is not allowed to do so. See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html
To configure many AWS services, you must pass an IAM role to the service.
This allows the service to assume the role later and perform actions on your
behalf. For most services, you only have to pass the role to the service once
during setup, and not every time that the service assumes the role. For example,
assume that you have an application running on an Amazon EC2 instance. That
application requires temporary credentials for authentication, and permissions to
authorize the application to perform actions in AWS. When you set up the application,
you must pass a role to Amazon EC2 to use with the instance that provides those credentials.
You define the permissions for the applications running on the instance by attaching an
IAM policy to the role. The application assumes the role every time it needs to perform
the actions that are allowed by the role.
So, you should give "iam:GetRole" and "iam:PassRole"
to the principal (user, role, service, etc.) trying to launch your EKS cluster. Full details on page mentioned above.
Best,
Duder
Hi Thanks for your answer, I have tried adding the pass roles "iam:GetRole" and "iam:PassRole" in the eks cluster policy but now i am getting a different error " error updating IAM Role (eksclusterrole) assume role policy: MalformedPolicyDocument: Has prohibited field Resource │ status code: 400, request id: 23c7a51a-05e5-41d8-bc3e-cd2238752828 " , Do you need to do any modification on roles ?
This is my tf codes :
resource "aws_iam_role" "globalrole" { name = "eksclusterrole"
assume_role_policy = <<POLICY { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "eks.amazonaws.com" }, "Action": "sts:AssumeRole"
} ] } POLICY }
resource "aws_iam_role_policy_attachment" "globalatachment1" { policy_arn = "arn:aws:iam::401231317770:policy/eks-new-2023-cluster" role = aws_iam_role.globalrole.name }
resource "aws_iam_role_policy_attachment" "globalatachment" { policy_arn = "arn:aws:iam::aws:policy/aws-service-role/AmazonEKSServiceRolePolicy" role = aws_iam_role.globalrole.name }