Roles with paths do not work when the path is included in their ARN in the aws-auth configmap · Issue #268 · kubernetes-sigs/aws-iam-authenticator (original) (raw)
I have a role with an ARN that looks like this: arn:aws:iam::XXXXXXXXXXXX:role/gitlab-ci/gitlab-runner
. My aws-auth configmap was as follow:
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- rolearn: arn:aws:iam::XXXXXXXXXXXX:role/EKSWorkerNode
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
- rolearn: arn:aws:iam::XXXXXXXXXXXX:role/EKSServiceWorker
username: kubernetes-admin
groups:
- system:masters
- rolearn: arn:aws:iam::XXXXXXXXXXXX:role/gitlab-ci/gitlab-runner
username: gitlab-admin
groups:
- system:masters
I repeated got unauthorized errors from the cluster until I updated the rolearn
to arn:aws:iam::XXXXXXXXXXXX:role/gitlab-runner
. After that change my access worked as expected.
If it makes a difference, I'm using assume-role on our gitlab-runner, and using aws eks update-kubeconfig --region=us-east-1 --name=my-cluster
to get kubectl configured.