aws-workshop-for-kubernetes icon indicating copy to clipboard operation
aws-workshop-for-kubernetes copied to clipboard

Published 20 hours ago verified publisher icon aws-samples

Failed with IAM Roles chapter (kube2iam section)

Open vietwow opened this issue 6 years ago • 2 comments

Hi,

I follow the chapter https://github.com/aws-samples/aws-workshop-for-kubernetes/tree/master/roles on Kubernetes v1.8.5 (which created by kops 1.8) using Calico network

apiVersion: extensions/v1beta1 kind: DaemonSet metadata: name: kube2iam labels: app: kube2iam spec: template: metadata: labels: name: kube2iam spec: hostNetwork: true containers: - image: jtblin/kube2iam:latest name: kube2iam args: - "--iptables=true" - "--host-ip=$(HOST_IP)" - "--host-interface=cali+" env: - name: HOST_IP valueFrom: fieldRef: fieldPath: status.podIP ports: - containerPort: 8181 hostPort: 8181 name: http securityContext: privileged: true

Everything is OK until the final step, I got the below error when test the result :

$ kubectl exec -it aws-cli aws s3 ls
Unable to locate credentials. You can configure credentials by running "aws configure".
command terminated with exit code 255

It seems that pod "aws-cli" don't recognize the aws role, still looking aws credentials. But why ? Anyone can help me ? Thank you so much

Best Regards, VietNC

vietwow avatar Dec 21 '17 07:12 vietwow

Module has been moved to https://github.com/aws-samples/aws-workshop-for-kubernetes/blob/master/04-path-security-and-networking/402-authentication-and-authorization/readme.adoc

The role should have been granted the AmazonS3ReadOnlyAccess policy using the step https://github.com/aws-samples/aws-workshop-for-kubernetes/blame/master/04-path-security-and-networking/402-authentication-and-authorization/readme.adoc#L216

aws iam attach-role-policy --role-name MyPodRole --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

Can you confirm that the role has the policy using the following command: aws iam list-attached-role-policies --role-name MyPodRole? You should get output similar to:

{
    "AttachedPolicies": [
        {
            "PolicyName": "AmazonS3ReadOnlyAccess", 
            "PolicyArn": "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
        }
    ]
}

buzzsurfr avatar Jun 14 '18 11:06 buzzsurfr

I have the same issue

Unable to locate credentials. You can configure credentials by running "aws configure". command terminated with exit code 255

I think it's related to permissions. the kube2iam logs has this error

Failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:default:default" cannot list namespaces at the cluster scope

So the network is restricted (by the flag --iptables=true) but kube2iam proxy is not working, so when the container is trying to call http://169.254.169.254/ it fails

Kubernetes 1.9.6 Kops 1.9.1

miki79 avatar Jun 22 '18 14:06 miki79