0

通过 hal deploy apply 将 Spinnaker 部署到 EKS 时,Spinnaker Clouddriver pod 转到 CrashLoopBackOff 并出现以下错误,

原因:com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException:用户:arn:aws:sts::xxxxxxxxxxxx:assumed-role/Spinnaker-k8s-Worker-Node-Role/i-yyyyyyyyyyyyyy 无权执行:sts :AssumeRole on resource: arn:aws:iam::xxxxxxxxxxxx:role/Spinnaker-Managed-Role

我的 Halyard 配置如下,

currentDeployment: default
deploymentConfigurations:
- name: default
  version: 1.17.6
  providers:
    appengine:
      enabled: false
      accounts: []
    aws:
      enabled: true
      accounts:
      - name: my-account
        requiredGroupMembership: []
        providerVersion: V1
        permissions: {}
        accountId: 'xxxxxxxxxxxx' # my account id here
        regions:
        - name: us-east-1
        assumeRole: Spinnaker-Clouddriver-Role
        lifecycleHooks: []
      primaryAccount: my-account
      bakeryDefaults:
        baseImages: []
      defaultKeyPairTemplate: '{{name}}-keypair'
      defaultRegions:
      - name: us-east-1
      defaults:
        iamRole: BaseIAMRole

我的Spinnaker-Clouddriver-RoleIAM 角色目前具有PowerUserAccess权限,并具有以下信任关系

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "ec2.amazonaws.com",
          "ecs.amazonaws.com",
          "application-autoscaling.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::xxxxxxxxxxx:role/Spinnaker-k8s-Worker-Node-Role"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

我怎样才能解决这个问题?

完整的日志可以在https://gist.github.com/agentmilindu/d9d31ee4287c87fb87e5060e0709989d#file-awssecuritytokenserviceexception-log-L3上找到

4

1 回答 1

2

看看完美运行的 AWS IAM 策略。

请参阅Armory AWS IAM 设置EC2 提供商设置

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:*",
                "cloudformation:*",
                "ecr:*"                
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Action": "sts:AssumeRole",
            "Resource": [
                "arn:aws:iam::123456789012:role/SpinnakerManagedRoleAccount1",
                "arn:aws:iam::101121314157:role/SpinnakerManagedRoleAccount2",
                "arn:aws:iam::202122232425:role/SpinnakerManagedRoleAccount3"
            ],
            "Effect": "Allow"
        }
    ]
}
于 2020-03-04T03:47:10.917 回答