Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

aws-eks-kubectl run Account issues

tochi
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
September 29, 2024

I have an IAM account in my root AWS Account. 

This then assumes roles in various other accounts to perform deployment actions, dev, test, shared etc

When pushing the ECR image to a shared AWS account this works fine using the pipe atlassian/aws-ecr-push-image:2.4.2 and the AWS_ROLE_ARN property: 

 

"arn:aws:iam::$AWS_ECR_ACCOUNT_ID:role/ROLENAME"

However when I use the pipe: 
atlassian/aws-eks-kubectl-run:2.8.1 to run KUBECTL commands and using the ROLE_ARN property to specify the role to assume:

"arn:aws:iam::$AWS_DEV_ACCOUNT:role/DEV_ROLE_NAME"

The run fails with the following error:


An error occurred (AccessDeniedException) when calling the DescribeCluster operation: User: arn:aws:iam::ROOT-AWS_ACCOUNT:user/deploy-service is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:us-east-1:ROOT-AWS_ACCOUNT:cluster/EKS-CLUSTER-NAME

I don't think this is specifically a permissions issue, it seems more like it is not targeting the correct AWS account. The EKS cluster does not exist in the root account but a different one. However it doesn't seem to be switching to the correct AWS account when applying the ROLE_ARN.

I don't see another property in the pipe config to allow me to specify an AWS account to target?

has anyone come across this or have any suggestions?

Thanks


2 answers

1 accepted

0 votes
Answer accepted
Igor Stoyanov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 4, 2024

Hi @tochi . The reason could be that 
aws-ecr-push-image supports assuming role-arn, but aws-eks-kubectl-run currently not.

We will add this feature to aws-eks-kubectl-run pipe and notify you when new version will be released.

 

Regards, Igor

tochi
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
October 6, 2024

Thanks, I realized that after reading the source code.

Workaround until this is in place is to have an IAM user with relevant permissions in each target AWS account. 

Thanks

1 vote
vikram
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
September 30, 2024

Hi @tochi 

Welcome to Atlassian Community.

Just cross verify your parameters for the assign role (like AWS Credentials), some times the assume role and actual root will be different. 

Just check the below url for knowledge purpose. 

Vikram P

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
TAGS
AUG Leaders

Atlassian Community Events