https://pulumi.com logo
Join Slack
Powered by
When I try to send SES mail from my eks cluster us...
# general
s
When I try to send SES mail from my eks cluster using nodejs aws-sdk I got the following error: 
error: User 'arn:xxxxx:assumed-role/cluster-instanceRole-role-xxxxx' is not authorized to perform 'ses:SendRawEmail' on resource 'arn:aws:ses:us-east-1:xxxxx:identity/<mailto:no-reply@xxxxxx.com|no-reply@xxxxxx.com>'
. But when I try it locally using the same AWS access and secret key and email it works. Does anyone know how I can attach required ses policy to aws eks cluster? My cluster code:
Copy code
const cluster = new eks.Cluster('cluster', {
  name: 'my-eks-cluster',
  vpcId: vpc.id,
  publicSubnetIds: vpc.publicSubnetIds,
  privateSubnetIds: vpc.privateSubnetIds,
  desiredCapacity: 2,
  minSize: 1,
  maxSize: 3
});
When i write something like:
Copy code
const sesPolicy = JSON.stringify({
  Version: '2012-10-17',
  Statement: [{
    Sid: 'EksClusterSesPermissions',
    Action: ['ses:*'],
    Effect: 'Allow',
    Resource: '*'
  }]
});
const clusterRole = new aws.iam.Role('cluster-role', {
  name: 'my-cluster-role',
  assumeRolePolicy: sesPolicy
});

const cluster = new eks.Cluster('cluster', {
  name: 'my-eks-cluster',
  vpcId: vpc.id,
  publicSubnetIds: vpc.publicSubnetIds,
  privateSubnetIds: vpc.privateSubnetIds,
  desiredCapacity: 2,
  minSize: 1,
  maxSize: 3,
  instanceRole: clusterRole
});
And run 
pulumi preview
command I get the following output (image below) like I would loose existing node roles which are applied to cluster nodes by default. Will that effect anything?
Other solution that seems to work is this:
Copy code
const sesPolicy = new aws.iam.Policy('ses-policy', {
  description: 'EKS cluster SES permissions',
  policy: JSON.stringify({
    Version: '2012-10-17',
    Statement: [{
      Sid: 'EksClusterSesPermissions',
      Action: ['ses:*'],
      Effect: 'Allow',
      Resource: '*'
    }]
  })
});

const cluster = new eks.Cluster('cluster', {
  name: 'my-eks-cluster',
  vpcId: vpc.id,
  publicSubnetIds: vpc.publicSubnetIds,
  privateSubnetIds: vpc.privateSubnetIds,
  desiredCapacity: 2,
  minSize: 1,
  maxSize: 3
});

cluster.instanceRoles.apply(attachSesPolicy);

function attachSesPolicy(roles) {
  const [role] = roles;
  const attachment = new aws.iam.RolePolicyAttachment('ses-policy-attach', {
    role: role.name,
    policyArn: sesPolicy.arn
  });
}
With this approach only will ses policy be added and no roles will be deleted as with the approach 1 i posted above
l
The policy is wrong. The assume policy is not what actually gives the permissions to perform action
The assume policy should be something like
Copy code
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "<http://ec2.amazonaws.com|ec2.amazonaws.com>"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
and them you create the actual role with `iam.Policy`and them attach it with 
iam.RolePolicyAttachment
the purpose of the role is different, but the idea is the same
s
Thanks Tiago! 🙌
Once, when it's created, how to attach that role to the eks cluster? are you using instanceRole property or instanceRoles? 
instanceRoles
reuqires instance profile to be specified
l
That depends, you might not need it at all. Depends on how you are setting your node groups
I, particularly, only use fargate, so I only set fargate profiles
👍 1
9 Views
Open in Slack
PreviousNext
Powered by