AWS EKS update-kubeconfig does not respect --role-arn flag

Question

Whenever I run the following command with the role that that was used to create the eks cluster...

aws eks update-kubeconfig --name eks-cluster --role-arn arn:aws:iam::999999999999:role/eksServiceRole

... I get the following error:

An error occurred (AccessDeniedException) when calling the DescribeCluster operation: User: arn:aws:iam::111111111111:user/username is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:us-east-1:561353845098:cluster/eks-cluster

Does anybody have any advice on how to go about diagnosing and rectifying this error?

Hi, if one of the responses below answered your question please upvote and accept it. That's the ServerFault way of saying *Thanks* for the time someone took to help you :) — MLu, Feb 19 '19 at 20:55
Still banging my head on this one. That's not to say that I'm not thankful for the time and thought my fellow StackExchange users gave to me... I am very grateful and thankful to them. I upvoted both answers but haven't marked any response as a solution because I still haven't solved this particular problem. — Kurt Mueller, Feb 19 '19 at 22:47

score 5 · Answer 1 · answered Jan 04 '19 at 01:44

A couple of suggestions that may, or may not help:

You may include --verbose to your command to perhaps get better details as to where it fails. Could it be that case that the user you are authenticated as are not able to assume the role specified?
In the manual for aws-cli --role-arn is passed as a string, you should try to encapsulate it with double-quotes:

aws eks update-kubeconfig --name eks-cluster --role-arn "arn:aws:iam::999999999999:role/eksServiceRole"

Try to manually assume the role through aws-cli.
1. Verify your current authenticated session: aws sts get-caller-identity
2. Attempt to assume the role: aws sts assume-role --role-arn "arn:aws:iam::999999999999:role/eksServiceRole" --role-session-name test-eks-role

https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html for reference — Kurt Mueller, Jan 04 '19 at 19:47

score 5 · Answer 2 · answered Jun 06 '19 at 23:27

--role-arn is the role which will be used by aws-iam-authenticator when you run kubectl to get a token and is only injected in to the generated config; it is not used for fetching EKS resources in any way by the command.

The error you are hitting is because the AWS credentials you're using to run the update-kubeconfig command don't have permissions to describe that cluster.

score 2 · Answer 3 · answered Jan 03 '19 at 22:06

I'm not that familiar with EKS but I guess the user that you're running the aws eks command as needs privileges to describe the cluster.

Does this run successfully?

~ $ aws eks describe-cluster --name eks-cluster

If not you'll need to check your aws-cli permissions and make that work first.

It's just a guess but hope that helps :)

score 2 · Answer 4 · answered May 17 '19 at 11:07

If you receive an AccessDeniedException when calling an AWS API operation, then the AWS Identity and Access Management (IAM) user or role credentials that you are using do not have the required permissions to make that call.

To provide Amazon EKS admin permissions to a user, see Creating Amazon EKS IAM Policies.

(Reference: https://docs.aws.amazon.com/eks/latest/userguide/troubleshooting.html#iam-error)

score 1 · Answer 5 · answered Dec 04 '21 at 11:30

Use sts assume-role method and then reassign credentials values from there

#!/bin/bash
export AWS_ACCESS_KEY_ID=xxx
export AWS_SECRET_ACCESS_KEY=xxx
ROLE_ARN="arn:aws:iam::xxx:role/Administrator"
CRED=$(aws sts assume-role --role-arn "${ROLE_ARN}" --role-session-name AWSCLI-Session)
export AWS_ACCESS_KEY_ID=$(echo "${CRED}"| jq -r '.Credentials.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(echo "${CRED}"| jq -r '.Credentials.SecretAccessKey')
export AWS_SESSION_TOKEN=$(echo "${CRED}"| jq -r '.Credentials.SessionToken')
aws sts get-caller-identity
aws eks update-kubeconfig --name my-cluster --region region

this is so weird that this is the only solution that actually works for me :( — confiq, Jun 18 '22 at 19:50

score 1 · Answer 6 · answered Mar 27 '19 at 06:27

I came up with the same error. But after I updating the correct access key and secret key in the file .aws/credentials, problem was resolved.

Please note that you need to use access key and the secret key of a user who allows to perform AWS EKS realted actions.

score 0 · Answer 7 · answered Apr 27 '20 at 01:07

Confirming that this bug with aws eks is still present as of 2020/04. I ran into the same issue as OP despite all configurations being correct. Eventually I found that aws eks update-kubeconfig --name eks-cluster --profile profilename succeeds if the IAM role to be assumed is defined in the config, an alternative that is supposed to do the exact same thing, so definitely a bug with aws eks

score 0 · Answer 8 · answered May 10 '20 at 20:39

In my case this issue came as missing "profile" word in .aws/config for named profiles. If named profiles are not used, i.e. only default profile exist, "profile" is not needed. Source: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html

score 0 · Answer 9 · answered Apr 04 '19 at 07:25

0

Is your user ID with which you are creating the cluster MFA enabled? If so, you need to get the token and update the credentials file

answered Apr 04 '19 at 07:25

Suresh

1

AWS EKS update-kubeconfig does not respect --role-arn flag

9 Answers9