Cloudformation for a kube2iam role The Next CEO of Stack OverflowCannot apply AWS policy to group, only to userAWS Assume role with EC2 instance IAM role not workingControlling access to AWS IoT policy actions for Cognito identitiesAccessing Kibana of AWS ElasticSearch by Gateway using AWS IAMcfn-init fails to download S3 file even though “aws s3 cp” worksAWS IAM Trust Policy for Assumed RoleManaged policy for a role in an AWS cloud formation stackIdentityPoolRoleAttachment Resource cannot be updatedAWS Cloudformation Role is not authorized to perform AssumeRole on RoleAWS Lambda : Even after STS:AssumeRole was successful, the lambda function still uses the old IAM role

Example of a Mathematician/Physicist whose Other Publications during their PhD eclipsed their PhD Thesis

What happens if you roll doubles 3 times then land on "Go to jail?"

Increase performance creating Mandelbrot set in python

If the heap is initialized for security, then why is the stack uninitialized?

How to Reset Passwords on Multiple Websites Easily?

How to be diplomatic in refusing to write code that breaches the privacy of our users

How do I get the green key off the shelf in the Dobby level of Lego Harry Potter 2?

How do we know the LHC results are robust?

Why didn't Khan get resurrected in the Genesis Explosion?

How can I open an app using Terminal?

Solution of this Diophantine Equation

How do I solve this limit?

What is the point of a new vote on May's deal when the indicative votes suggest she will not win?

How do I go from 300 unfinished/half written blog posts, to published posts?

Grabbing quick drinks

I believe this to be a fraud - hired, then asked to cash check and send cash as Bitcoin

Inappropriate reference requests from Journal reviewers

Why didn't Theresa May consult with Parliament before negotiating a deal with the EU?

If I blow insulation everywhere in my attic except the door trap, will heat escape through it?

Apart from "berlinern", do any other German dialects have a corresponding verb?

What is the purpose of the Evocation wizard's Potent Cantrip feature?

How to make a variable always equal to the result of some calculations?

% symbol leads to superlong (forever?) compilations

When airplanes disconnect from a tanker during air to air refueling, why do they bank so sharply to the right?



Cloudformation for a kube2iam role



The Next CEO of Stack OverflowCannot apply AWS policy to group, only to userAWS Assume role with EC2 instance IAM role not workingControlling access to AWS IoT policy actions for Cognito identitiesAccessing Kibana of AWS ElasticSearch by Gateway using AWS IAMcfn-init fails to download S3 file even though “aws s3 cp” worksAWS IAM Trust Policy for Assumed RoleManaged policy for a role in an AWS cloud formation stackIdentityPoolRoleAttachment Resource cannot be updatedAWS Cloudformation Role is not authorized to perform AssumeRole on RoleAWS Lambda : Even after STS:AssumeRole was successful, the lambda function still uses the old IAM role










1















I'm having trouble creating a role for kube2iam, everything seems to work fine I deploy the stack with the role and the pods spin up but whenever a pod tries to perform an authorized action (put an item into dynamo in this case) I get an error that the assumed role is not authorized. Here's the snippet that creates the role:



ServiceRole:
 Type: "AWS::IAM::Role"
 Properties:
 RoleName:
 Ref: StackName
 AssumeRolePolicyDocument:
 Version: "2012-10-17"
 Statement:
 - Effect: "Allow"
 Principal:
 Service:
 - "ec2.amazonaws.com"
 Action:
 - "sts:AssumeRole"
 Path: "/"
 Policies:
 - PolicyName:
 Ref: StackName
 PolicyDocument:
 Version: "2012-10-17"
 Statement:
 - Effect: "Allow"
 Action:
 - dynamodb:PutItem
 Resource:
 Fn::GetAtt: [Table, Arn]


The table is elsewhere in the same stack and deploys just fine. I deployed kube2iam via a helm chart



The error I get is:



User: arn:aws:sts::<BLAHBLAH>:assumed-role/nodes.k8s.logint.cimpress.io/<BLAHBLAH> is not authorized to perform: dynamodb:PutItem on resource <BLAHBLAH>


I also tried this for the assume role:



- Effect: "Allow"
 Principal:
 AWS: "arn:aws:iam::<BLAHBLAH>:role/nodes.<BLAHBLAH>"
 Action:
 - "sts:AssumeRole"


I still get the same error






kubernetes amazon-cloudformation amazon-iam







share|improve this question
























  • Can you add yaml where you specify your iam role with annotation? Also, your assumerole is incorrect. You need to whitelist the role attached to your worker node.

    – MC_
    Mar 7 at 18:02











  • Pods are controlled by a deployment, the annotation is under spec.template.metadata.annotations['iam.amazonaws.com/role']: arn:aws:iam::<BLAHBLAH>:role/<BLAHBLAH> This is a real role I can see from the console. For the second part is there documentation on that? I don't know what it means

    – Lev Kuznetsov
    Mar 7 at 18:08
















1















I'm having trouble creating a role for kube2iam, everything seems to work fine I deploy the stack with the role and the pods spin up but whenever a pod tries to perform an authorized action (put an item into dynamo in this case) I get an error that the assumed role is not authorized. Here's the snippet that creates the role:



ServiceRole:
 Type: "AWS::IAM::Role"
 Properties:
 RoleName:
 Ref: StackName
 AssumeRolePolicyDocument:
 Version: "2012-10-17"
 Statement:
 - Effect: "Allow"
 Principal:
 Service:
 - "ec2.amazonaws.com"
 Action:
 - "sts:AssumeRole"
 Path: "/"
 Policies:
 - PolicyName:
 Ref: StackName
 PolicyDocument:
 Version: "2012-10-17"
 Statement:
 - Effect: "Allow"
 Action:
 - dynamodb:PutItem
 Resource:
 Fn::GetAtt: [Table, Arn]


The table is elsewhere in the same stack and deploys just fine. I deployed kube2iam via a helm chart



The error I get is:



User: arn:aws:sts::<BLAHBLAH>:assumed-role/nodes.k8s.logint.cimpress.io/<BLAHBLAH> is not authorized to perform: dynamodb:PutItem on resource <BLAHBLAH>


I also tried this for the assume role:



- Effect: "Allow"
 Principal:
 AWS: "arn:aws:iam::<BLAHBLAH>:role/nodes.<BLAHBLAH>"
 Action:
 - "sts:AssumeRole"


I still get the same error






kubernetes amazon-cloudformation amazon-iam







share|improve this question
























  • Can you add yaml where you specify your iam role with annotation? Also, your assumerole is incorrect. You need to whitelist the role attached to your worker node.

    – MC_
    Mar 7 at 18:02











  • Pods are controlled by a deployment, the annotation is under spec.template.metadata.annotations['iam.amazonaws.com/role']: arn:aws:iam::<BLAHBLAH>:role/<BLAHBLAH> This is a real role I can see from the console. For the second part is there documentation on that? I don't know what it means

    – Lev Kuznetsov
    Mar 7 at 18:08














1












1








1








I'm having trouble creating a role for kube2iam, everything seems to work fine I deploy the stack with the role and the pods spin up but whenever a pod tries to perform an authorized action (put an item into dynamo in this case) I get an error that the assumed role is not authorized. Here's the snippet that creates the role:



ServiceRole:
 Type: "AWS::IAM::Role"
 Properties:
 RoleName:
 Ref: StackName
 AssumeRolePolicyDocument:
 Version: "2012-10-17"
 Statement:
 - Effect: "Allow"
 Principal:
 Service:
 - "ec2.amazonaws.com"
 Action:
 - "sts:AssumeRole"
 Path: "/"
 Policies:
 - PolicyName:
 Ref: StackName
 PolicyDocument:
 Version: "2012-10-17"
 Statement:
 - Effect: "Allow"
 Action:
 - dynamodb:PutItem
 Resource:
 Fn::GetAtt: [Table, Arn]


The table is elsewhere in the same stack and deploys just fine. I deployed kube2iam via a helm chart



The error I get is:



User: arn:aws:sts::<BLAHBLAH>:assumed-role/nodes.k8s.logint.cimpress.io/<BLAHBLAH> is not authorized to perform: dynamodb:PutItem on resource <BLAHBLAH>


I also tried this for the assume role:



- Effect: "Allow"
 Principal:
 AWS: "arn:aws:iam::<BLAHBLAH>:role/nodes.<BLAHBLAH>"
 Action:
 - "sts:AssumeRole"


I still get the same error






kubernetes amazon-cloudformation amazon-iam







share|improve this question
















I'm having trouble creating a role for kube2iam, everything seems to work fine I deploy the stack with the role and the pods spin up but whenever a pod tries to perform an authorized action (put an item into dynamo in this case) I get an error that the assumed role is not authorized. Here's the snippet that creates the role:



ServiceRole:
 Type: "AWS::IAM::Role"
 Properties:
 RoleName:
 Ref: StackName
 AssumeRolePolicyDocument:
 Version: "2012-10-17"
 Statement:
 - Effect: "Allow"
 Principal:
 Service:
 - "ec2.amazonaws.com"
 Action:
 - "sts:AssumeRole"
 Path: "/"
 Policies:
 - PolicyName:
 Ref: StackName
 PolicyDocument:
 Version: "2012-10-17"
 Statement:
 - Effect: "Allow"
 Action:
 - dynamodb:PutItem
 Resource:
 Fn::GetAtt: [Table, Arn]


The table is elsewhere in the same stack and deploys just fine. I deployed kube2iam via a helm chart



The error I get is:



User: arn:aws:sts::<BLAHBLAH>:assumed-role/nodes.k8s.logint.cimpress.io/<BLAHBLAH> is not authorized to perform: dynamodb:PutItem on resource <BLAHBLAH>


I also tried this for the assume role:



- Effect: "Allow"
 Principal:
 AWS: "arn:aws:iam::<BLAHBLAH>:role/nodes.<BLAHBLAH>"
 Action:
 - "sts:AssumeRole"


I still get the same error






kubernetes amazon-cloudformation amazon-iam




kubernetes amazon-cloudformation amazon-iam






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 8 at 0:54







Lev Kuznetsov

















asked Mar 7 at 14:02









Lev KuznetsovLev Kuznetsov

1,96211024




1,96211024












  • Can you add yaml where you specify your iam role with annotation? Also, your assumerole is incorrect. You need to whitelist the role attached to your worker node.

    – MC_
    Mar 7 at 18:02











  • Pods are controlled by a deployment, the annotation is under spec.template.metadata.annotations['iam.amazonaws.com/role']: arn:aws:iam::<BLAHBLAH>:role/<BLAHBLAH> This is a real role I can see from the console. For the second part is there documentation on that? I don't know what it means

    – Lev Kuznetsov
    Mar 7 at 18:08


















  • Can you add yaml where you specify your iam role with annotation? Also, your assumerole is incorrect. You need to whitelist the role attached to your worker node.

    – MC_
    Mar 7 at 18:02











  • Pods are controlled by a deployment, the annotation is under spec.template.metadata.annotations['iam.amazonaws.com/role']: arn:aws:iam::<BLAHBLAH>:role/<BLAHBLAH> This is a real role I can see from the console. For the second part is there documentation on that? I don't know what it means

    – Lev Kuznetsov
    Mar 7 at 18:08

















Can you add yaml where you specify your iam role with annotation? Also, your assumerole is incorrect. You need to whitelist the role attached to your worker node.

– MC_
Mar 7 at 18:02





Can you add yaml where you specify your iam role with annotation? Also, your assumerole is incorrect. You need to whitelist the role attached to your worker node.

– MC_
Mar 7 at 18:02













Pods are controlled by a deployment, the annotation is under spec.template.metadata.annotations['iam.amazonaws.com/role']: arn:aws:iam::<BLAHBLAH>:role/<BLAHBLAH> This is a real role I can see from the console. For the second part is there documentation on that? I don't know what it means

– Lev Kuznetsov
Mar 7 at 18:08






Pods are controlled by a deployment, the annotation is under spec.template.metadata.annotations['iam.amazonaws.com/role']: arn:aws:iam::<BLAHBLAH>:role/<BLAHBLAH> This is a real role I can see from the console. For the second part is there documentation on that? I don't know what it means

– Lev Kuznetsov
Mar 7 at 18:08













0






active

oldest

votes












Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55045632%2fcloudformation-for-a-kube2iam-role%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes















draft saved

draft discarded
















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55045632%2fcloudformation-for-a-kube2iam-role%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

AWS Lex not identifying response if by a variable The 2019 Stack Overflow Developer Survey Results Are In Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) The Ask Question Wizard is Live! Data science time! April 2019 and salary with experienceEnforcing custom enumeration in AWS LEX for slot valuesHow to give response based on user response in Amazon Lex?Intercepting AWS Lambda Response to a AWS Lex QueryLex chat bot error: Reached second execution of fulfillment lambda on the same utteranceamazon lex showing invalid responseLambda response send back to Lex slot?Response card in Amazon lexAmazon Lex - Lambda response return HTML to botHow can I solve 424 (Failed Dependency) (python) obtained from Amazon lex?

Image
Do working physicists consider Newtonian mechanics to be "falsified"? Match Roman Numerals Derivation tree not rendering How can I protect witches in combat who wear limited clothing? Is above average number of years spent on PhD considered a red flag in future academia or industry positions? Relations between two reciprocal partial derivatives? Take groceries in checked luggage He got a vote 80% that of Emmanuel Macron’s Why not take a picture of a closer black hole? Is every episode of "Where are my Pants?" identical? Problems with Ubuntu mount /tmp Why is superheterodyning better than direct conversion? Are spiders unable to hurt humans, especially very small spiders? Can undead you have reanimated wait inside a portable hole? What is special about square numbers here? Python - Fishing Simulator Is this wall load bearing? Blueprints and photos attached Can a 1st-level character have an ability score above 18? Semisimplicity of ...
Read more

Алба-Юлія

Image
Алба-Юлія рум.  Alba Iulia герб прапор Православний собор в Алба-Юлії Основні дані 46°04′35″ пн. ш. 23°34′22″ сх. д.  /  46.07638888891677453° пн. ш. 23.57277777780577921° сх. д.  / 46.07638888891677453; 23.57277777780577921 Координати: 46°04′35″ пн. ш. 23°34′22″ сх. д.  /  46.07638888891677453...
Read more

Захаров Федір Захарович

Image
Федір Захарович Захаров Федір Захаров, 1986 рік Народження 5 вересня 1919 ( 1919-09-05 ) Олександрівське [d] , Смоленська губернія , Російська СФРР Смерть 29 вересня 1997 ( 1997-09-29 ) (78 років)   Ялта , Автономн...
Read more