I have an IAM account in my root AWS Account.
This then assumes roles in various other accounts to perform deployment actions, dev, test, shared etc
When pushing the ECR image to a shared AWS account this works fine using the pipe atlassian/aws-ecr-push-image:2.4.2 and the AWS_ROLE_ARN property:
An error occurred (AccessDeniedException) when calling the DescribeCluster operation: User: arn:aws:iam::ROOT-AWS_ACCOUNT:user/deploy-service is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:us-east-1:ROOT-AWS_ACCOUNT:cluster/EKS-CLUSTER-NAME
I don't think this is specifically a permissions issue, it seems more like it is not targeting the correct AWS account. The EKS cluster does not exist in the root account but a different one. However it doesn't seem to be switching to the correct AWS account when applying the ROLE_ARN.
I don't see another property in the pipe config to allow me to specify an AWS account to target?
has anyone come across this or have any suggestions?
Thanks
Hi @tochi . The reason could be that
aws-ecr-push-image supports assuming role-arn, but aws-eks-kubectl-run currently not.
We will add this feature to aws-eks-kubectl-run pipe and notify you when new version will be released.
Regards, Igor
Thanks, I realized that after reading the source code.
Workaround until this is in place is to have an IAM user with relevant permissions in each target AWS account.
Thanks
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @tochi
Welcome to Atlassian Community.
Just cross verify your parameters for the assign role (like AWS Credentials), some times the assume role and actual root will be different.
Just check the below url for knowledge purpose.
Vikram P
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.