Channels
pulumi-ai
package-authoring
pulumi-cdk
oracle-cloud-infrastructure
learn-pulumi-events
linen
registry
built-with-pulumi
pulumi-cloud
contribex
testingtesting321
hacktoberfest
cloudengineering
yaml
pulumi-crosscode
content-share
finops
multi-language-hackathon
office-hours
workshops
blog-posts
localstack
welcome
gitlab
pulumi-kubernetes-operator
jobs
aws
pulumi-deployments
dotnet
golang
announcements
java
pulumiverse
python
install
getting-started
cloudengineering-support
testingtesting123
hackathon-03-19-2020
typescript
google-cloud
contribute
azure
kubernetes
docs
automation-api
status
general
Title
d
dazzling-sundown-39670
05/27/2020, 8:45 PMI've created a Role that I want for my
external-dnsAccessDenied: User: arn:aws:sts::503405380068:assumed-role/k8s-pulumi-instanceRole-role-683d5cc/i-0a89701e04130e505 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::503405380068:role/update-route53-4397bfbCode here:
import * as pulumi from '@pulumi/pulumi';
import * as aws from '@pulumi/aws';
import * as k8s from '@pulumi/kubernetes';
import { cluster } from './cluster';
import { updateRoute53Role } from './roles';
// export const role = new aws.iam.Role('update-route53', {
// assumeRolePolicy: JSON.stringify({
// Version: '2012-10-17',
// Statement: [
// {
// Action: 'sts:AssumeRole',
// Principal: {
// Service: '<http://ec2.amazonaws.com|ec2.amazonaws.com>',
// },
// Effect: 'Allow',
// Sid: '',
// },
// ],
// }),
// });
export const policy = new aws.iam.Policy('AllowExternalDNSUpdates', {
description: 'This policy allows external-dns to update route53',
path: '/',
policy: JSON.stringify({
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Action: ['route53:ChangeResourceRecordSets'],
Resource: ['arn:aws:route53:::hostedzone/*'],
},
{
Effect: 'Allow',
Action: ['route53:ListHostedZones', 'route53:ListResourceRecordSets'],
Resource: ['*'],
},
],
}),
});
const rolePolicyAttachment = new aws.iam.RolePolicyAttachment(
'update-route53',
{
role: updateRoute53Role,
policyArn: policy.arn,
},
);
const policyAttachment = new aws.iam.PolicyAttachment('update-route53', {
roles: [updateRoute53Role],
policyArn: policy.arn,
});
export const externalDnsRoleArn = updateRoute53Role.arn;
export const externalDnsChart = new k8s.helm.v2.Chart(
'external-dns',
{
chart: 'external-dns',
version: '3.1.0',
values: {
txtOwnerId: 'foo-external-dns-pulumi',
domainFilters: ['<http://aws2.fooqa.com|aws2.fooqa.com>'],
aws: {
zoneType: 'public',
assumeRoleArn: externalDnsRoleArn,
},
'podSecurityContext.fsGroup': 65534,
},
fetchOpts: {
repo: '<https://charts.bitnami.com/bitnami>',
},
},
{
dependsOn: cluster,
provider: cluster.provider,
},
);Cluster:
const instanceType: aws.ec2.InstanceType = config.require('k8sinstancetype');
export const cluster = new eks.Cluster('k8s-pulumi', {
vpcId: vpc.id,
subnetIds: vpc.publicSubnetIds,
clusterSecurityGroup: sg.securityGroup,
instanceType,
desiredCapacity: 3,
minSize: 1,
maxSize: 4,
// serviceRole: updateRoute53Role,
// instanceRole: updateRoute53Role,
});Also tried this now:
const instanceRole = cluster.instanceRoles.apply((roles) => roles[0]);
export const arn = pulumi.interpolate`${instanceRole.arn}`;Instead of creating a role
So I'm guessing the problem is that my role has
sts:AssumeRolests:AssumeRoleWithWebIdentity