I ve created a Role that I want for my `external dns` pods b Pulumi Community #aws

I've created a Role that I want for my `external-d...

dazzling-sundown-39670

05/27/2020, 8:45 PM

I've created a Role that I want for my

external-dns

pods but I'm not sure how I can allow it. Currently I'm getting this error:

AccessDenied: User: arn:aws:sts::503405380068:assumed-role/k8s-pulumi-instanceRole-role-683d5cc/i-0a89701e04130e505 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::503405380068:role/update-route53-4397bfb

I guess I need to attach it to my cluster somehow? I've tried serviceRole and instanceRole but the diff shows too many affected resources

dazzling-sundown-39670

05/27/2020, 8:46 PM

Code here:

Copy code

import * as pulumi from '@pulumi/pulumi';
import * as aws from '@pulumi/aws';
import * as k8s from '@pulumi/kubernetes';
import { cluster } from './cluster';
import { updateRoute53Role } from './roles';

// export const role = new aws.iam.Role('update-route53', {
//   assumeRolePolicy: JSON.stringify({
//     Version: '2012-10-17',
//     Statement: [
//       {
//         Action: 'sts:AssumeRole',
//         Principal: {
//           Service: '<http://ec2.amazonaws.com|ec2.amazonaws.com>',
//         },
//         Effect: 'Allow',
//         Sid: '',
//       },
//     ],
//   }),
// });

export const policy = new aws.iam.Policy('AllowExternalDNSUpdates', {
  description: 'This policy allows external-dns to update route53',
  path: '/',
  policy: JSON.stringify({
    Version: '2012-10-17',
    Statement: [
      {
        Effect: 'Allow',
        Action: ['route53:ChangeResourceRecordSets'],
        Resource: ['arn:aws:route53:::hostedzone/*'],
      },
      {
        Effect: 'Allow',
        Action: ['route53:ListHostedZones', 'route53:ListResourceRecordSets'],
        Resource: ['*'],
      },
    ],
  }),
});

const rolePolicyAttachment = new aws.iam.RolePolicyAttachment(
  'update-route53',
  {
    role: updateRoute53Role,
    policyArn: policy.arn,
  },
);

const policyAttachment = new aws.iam.PolicyAttachment('update-route53', {
  roles: [updateRoute53Role],
  policyArn: policy.arn,
});

export const externalDnsRoleArn = updateRoute53Role.arn;

export const externalDnsChart = new k8s.helm.v2.Chart(
  'external-dns',
  {
    chart: 'external-dns',
    version: '3.1.0',
    values: {
      txtOwnerId: 'foo-external-dns-pulumi',
      domainFilters: ['<http://aws2.fooqa.com|aws2.fooqa.com>'],
      aws: {
        zoneType: 'public',
        assumeRoleArn: externalDnsRoleArn,
      },
      'podSecurityContext.fsGroup': 65534,
    },
    fetchOpts: {
      repo: '<https://charts.bitnami.com/bitnami>',
    },
  },
  {
    dependsOn: cluster,
    provider: cluster.provider,
  },
);

dazzling-sundown-39670

05/27/2020, 8:49 PM

Cluster:

Copy code

const instanceType: aws.ec2.InstanceType = config.require('k8sinstancetype');

export const cluster = new eks.Cluster('k8s-pulumi', {
  vpcId: vpc.id,
  subnetIds: vpc.publicSubnetIds,
  clusterSecurityGroup: sg.securityGroup,
  instanceType,
  desiredCapacity: 3,
  minSize: 1,
  maxSize: 4,
  // serviceRole: updateRoute53Role,
  // instanceRole: updateRoute53Role,
});

dazzling-sundown-39670

05/28/2020, 1:44 AM

Also tried this now:

Copy code

const instanceRole = cluster.instanceRoles.apply((roles) => roles[0]);
export const arn = pulumi.interpolate`${instanceRole.arn}`;

dazzling-sundown-39670

05/28/2020, 1:45 AM

Instead of creating a role

dazzling-sundown-39670

05/28/2020, 1:56 AM

So I'm guessing the problem is that my role has

sts:AssumeRole

instead of

sts:AssumeRoleWithWebIdentity

but I can't figure out how to change that

5 Views

Open in Slack

Previous Next