I have an IAM account in my root AWS Account.
This then assumes roles in various other accounts to perform deployment actions, dev, test, shared etc
When pushing the ECR image to a shared AWS account this works fine using the pipe atlassian/aws-ecr-push-image:2.4.2 and the AWS_ROLE_ARN property:
"arn:aws:iam::$AWS_ECR_ACCOUNT_ID:role/ROLENAME"
However when I use the pipe: atlassian/aws-eks-kubectl-run:2.8.1 to run KUBECTL commands and using the ROLE_ARN property to specify the role to assume:
"arn:aws:iam::$AWS_DEV_ACCOUNT:role/DEV_ROLE_NAME"
The run fails with the following error:
An error occurred (AccessDeniedException) when calling the DescribeCluster operation: User: arn:aws:iam::ROOT-AWS_ACCOUNT:user/deploy-service is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:us-east-1:ROOT-AWS_ACCOUNT:cluster/EKS-CLUSTER-NAME
I don't think this is specifically a permissions issue, it seems more like it is not targeting the correct AWS account. The EKS cluster does not exist in the root account but a different one. However it doesn't seem to be switching to the correct AWS account when applying the ROLE_ARN.
I don't see another property in the pipe config to allow me to specify an AWS account to target?
has anyone come across this or have any suggestions?
Thanks
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.