Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

aws-eks-kubectl run Account issues

tochi
tochi
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
September 29, 2024

I have an IAM account in my root AWS Account. 

This then assumes roles in various other accounts to perform deployment actions, dev, test, shared etc

When pushing the ECR image to a shared AWS account this works fine using the pipe atlassian/aws-ecr-push-image:2.4.2 and the AWS_ROLE_ARN property: 

 

"arn:aws:iam::$AWS_ECR_ACCOUNT_ID:role/ROLENAME"

However when I use the pipe: atlassian/aws-eks-kubectl-run:2.8.1 to run KUBECTL commands and using the ROLE_ARN property to specify the role to assume:

"arn:aws:iam::$AWS_DEV_ACCOUNT:role/DEV_ROLE_NAME"

The run fails with the following error:


An error occurred (AccessDeniedException) when calling the DescribeCluster operation: User: arn:aws:iam::ROOT-AWS_ACCOUNT:user/deploy-service is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:us-east-1:ROOT-AWS_ACCOUNT:cluster/EKS-CLUSTER-NAME

I don't think this is specifically a permissions issue, it seems more like it is not targeting the correct AWS account. The EKS cluster does not exist in the root account but a different one. However it doesn't seem to be switching to the correct AWS account when applying the ROLE_ARN.

I don't see another property in the pipe config to allow me to specify an AWS account to target?

has anyone come across this or have any suggestions?

Thanks


Answer
Watch
Like Be the first to like this
309 views

3 answers

1 accepted

0 votes
Answer accepted
Igor Stoyanov
Igor Stoyanov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 4, 2024

Hi @tochi . The reason could be that 
aws-ecr-push-image supports assuming role-arn, but aws-eks-kubectl-run currently not.

We will add this feature to aws-eks-kubectl-run pipe and notify you when new version will be released.

 

Regards, Igor

View More Comments
tochi
tochi
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
October 6, 2024

Thanks, I realized that after reading the source code.

Workaround until this is in place is to have an IAM user with relevant permissions in each target AWS account. 

Thanks

Like
Reply
1 vote
vikram
vikram
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 30, 2024

Hi @tochi 

Welcome to Atlassian Community.

Just cross verify your parameters for the assign role (like AWS Credentials), some times the assume role and actual root will be different. 

Just check the below url for knowledge purpose. 

Vikram P

Reply
0 votes
Igor Stoyanov
Igor Stoyanov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 28, 2024

Hi @tochi . 
New version of the pipe released aws-eks-kubectl-run:

Run command 'apply' with the assumed role user ARN.

script:
  - pipe: atlassian/aws-eks-kubectl-run:3.0.0
    variables:
      AWS_ACCESS_KEY_ID: $AWS_ACCESS_KEY_ID
      AWS_SECRET_ACCESS_KEY: $AWS_SECRET_ACCESS_KEY
      AWS_DEFAULT_REGION: $AWS_DEFAULT_REGION
      AWS_ROLE_ARN: 'arn:aws:iam::012349999999:role/my-assumed-role'
      AWS_ROLE_SESSION_NAME: 'my-assumed-role'
      CLUSTER_NAME: 'my-kube-cluster'
      KUBECTL_COMMAND: 'apply'
      RESOURCE_PATH: 'nginx.yml'

Also in case of authentication problem take a look at this article.

Regards, Igor

Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
TAGS
AUG Leaders

Atlassian Community Events

    See all events