sparse-spring-91820
12/15/2021, 10:31 AMerror: User 'arn:xxxxx:assumed-role/cluster-instanceRole-role-xxxxx' is not authorized to perform 'ses:SendRawEmail' on resource 'arn:aws:ses:us-east-1:xxxxx:identity/<mailto:no-reply@xxxxxx.com|no-reply@xxxxxx.com>'
.
But when I try it locally using the same AWS access and secret key and email it works.
Does anyone know how I can attach required ses policy to aws eks cluster?
My cluster code:
const cluster = new eks.Cluster('cluster', {
name: 'my-eks-cluster',
vpcId: vpc.id,
publicSubnetIds: vpc.publicSubnetIds,
privateSubnetIds: vpc.privateSubnetIds,
desiredCapacity: 2,
minSize: 1,
maxSize: 3
});
const sesPolicy = JSON.stringify({
Version: '2012-10-17',
Statement: [{
Sid: 'EksClusterSesPermissions',
Action: ['ses:*'],
Effect: 'Allow',
Resource: '*'
}]
});
const clusterRole = new aws.iam.Role('cluster-role', {
name: 'my-cluster-role',
assumeRolePolicy: sesPolicy
});
const cluster = new eks.Cluster('cluster', {
name: 'my-eks-cluster',
vpcId: vpc.id,
publicSubnetIds: vpc.publicSubnetIds,
privateSubnetIds: vpc.privateSubnetIds,
desiredCapacity: 2,
minSize: 1,
maxSize: 3,
instanceRole: clusterRole
});
And run pulumi preview
command I get the following output (image below) like I would loose existing node roles which are applied to cluster nodes by default. Will that effect anything?const sesPolicy = new aws.iam.Policy('ses-policy', {
description: 'EKS cluster SES permissions',
policy: JSON.stringify({
Version: '2012-10-17',
Statement: [{
Sid: 'EksClusterSesPermissions',
Action: ['ses:*'],
Effect: 'Allow',
Resource: '*'
}]
})
});
const cluster = new eks.Cluster('cluster', {
name: 'my-eks-cluster',
vpcId: vpc.id,
publicSubnetIds: vpc.publicSubnetIds,
privateSubnetIds: vpc.privateSubnetIds,
desiredCapacity: 2,
minSize: 1,
maxSize: 3
});
cluster.instanceRoles.apply(attachSesPolicy);
function attachSesPolicy(roles) {
const [role] = roles;
const attachment = new aws.iam.RolePolicyAttachment('ses-policy-attach', {
role: role.name,
policyArn: sesPolicy.arn
});
}
With this approach only will ses policy be added and no roles will be deleted as with the approach 1 i posted abovelimited-army-96747
12/15/2021, 12:46 PM{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "<http://ec2.amazonaws.com|ec2.amazonaws.com>"
},
"Action": "sts:AssumeRole"
}
]
}
iam.RolePolicyAttachment
sparse-spring-91820
12/16/2021, 11:57 AMinstanceRoles
reuqires instance profile to be specifiedlimited-army-96747
12/16/2021, 10:17 PM