我在EKS集群中运行Sping Boot (2.6.6)应用程序,该应用程序试图通过假设AWS角色来验证AWS。我一直在跟踪这个医生
<dependencies>
<dependency>
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-sts</artifactId>
<version>1.12.9</version>
</dependency>
</dependencies>在我的应用程序helm/k8s设置中:
apiVersion: apps/v1
kind: Deployment
spec
template:
metadata:
...
spec:
serviceAccountName: myapp-service-account
securityContext:
fsGroup: 123456
initContainers:
...服务帐户设置:
~ % kubectl get serviceaccounts -n dev
NAME SECRETS AGE
default 1 2y1d
myapp-service-account 1 7d2h
..
~ % kubectl get serviceaccounts/myapp-service-account -n dev -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::<account_id>:role/<aws_role_to_assume>
..但我的应用程序似乎没有承担正确的角色:
2022-06-21 17:50:25.284 WARN [my-app,,] 1 - [ main] s. AwsSecretsManagerPropertySourceSearch:无法从/secret/my-app_dev加载AWS secret。用户:arn:aws:sts<account_id>:assumed-role/<cluster_generated_default_role>未被授权执行:secretsmanager:GetSecretValue on resource:/secret/my-app_dev,因为没有基于身份的策略允许secretsmanager:GetSecretValue操作(服务:AWSSecretsManager;验证码:400;错误代码:AccessDeniedException;请求ID:1111111-2222-33333-444444;代理:null)
在上面,我认为添加serviceAccountName: myapp-service-account将允许应用程序以某种方式获取新的ServiceAccount,从而承担不同的角色。我配置错了什么?
- 编辑 *
环境变量:
~ % kubectl exec my-app-pod-1234-abcd -n dev -- env
...
JAVA_OPTS=
AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token
AWS_ROLE_ARN=arn:aws:iam::<aws_account_id>:role/<aws_role_to_assume>
...
2条答案
按热度按时间clj7thdc1#
您应该将角色分配给命名空间中的默认服务帐户:
Terraform示例:https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/default_service_account
biswetbf2#
检查IAM角色,您是否在那里添加了信任关系,以便您的角色可以从服务帐户中假设,例如。它应该看起来像