9

我遵循了启动 EKS 集群的文档,该集群说要使用某些策略创建服务角色。

https://docs.aws.amazon.com/eks/latest/userguide/eks-ug.pdf

To create your Amazon EKS service role
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Choose Roles, then Create role.
3. Choose EKS from the list of services, then Allows Amazon EKS to manage your clusters on your behalf for your use case, then Next: Permissions.
4. Choose Next: Review.
5. For Role name, enter a unique name for your role, such as eksServiceRole, then choose Create role.

当我创建一个基本的 hello world 应用程序时,它会引发 AccessDenied 错误。

Error creating load balancer (will retry): failed to ensure load balancer for service default/nginx:
AccessDenied: User: arn:aws:sts::*************:assumed-role/eks-service-role/************* is not authorized to perform: iam:CreateServiceLinkedRole on resource: arn:aws:iam::*************:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing

添加的两个策略(AmazonEKSClusterPolicy、AmazonEKSServicePolicy)不允许执行 iam:CreateServiceLinkedRole 操作。我们是否应该将其添加到指南中定义的策略之外?或者这是否应该包含在 EKS 政策中?

4

2 回答 2

14

EKS 用户指南似乎假设您在创建 EKS 集群之前在您的 AWS 账户中创建了负载均衡器,因此在 AWS IAM 中具有现有的AWSServiceRoleForElasticLoadBalancing服务角色。

https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/elb-service-linked-roles.html#create-service-linked-role中所述

You don't need to manually create the AWSServiceRoleForElasticLoadBalancing role. Elastic Load Balancing creates this role for you when you create a load balancer.

EKS 正在尝试为您执行此操作,从而使用默认策略导致访问被拒绝异常。

在创建 EKS 集群之前显式创建服务相关角色的其他选项包括:

AWS CLI

aws iam create-service-linked-role --aws-service-name "elasticloadbalancing.amazonaws.com"

地形

resource "aws_iam_service_linked_role" "elasticloadbalancing" {
  aws_service_name = "elasticloadbalancing.amazonaws.com"
}

或者,从 UI 控制台手动创建负载均衡器。

无论预置选项如何,当您在 AWS IAM 中看到以下角色时,您应该知道一切都会奏效

arn:aws:iam::<ACCOUNT_ID>:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing
于 2018-08-09T02:00:22.150 回答
5

我通过将此策略添加到 EKS 角色来实现它:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "iam:CreateServiceLinkedRole",
                "Resource": "arn:aws:iam::*:role/aws-service-role/*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:DescribeAccountAttributes"
                ],
                "Resource": "*"
            }
        ]
    }
于 2018-07-31T10:34:19.643 回答