EKS not able to authenticate to Kubernetes with Kubectl - “User: is not authorized to perform: sts:AssumeRole”

Question

I've initially run aws --region eu-west-1 eks update-kubeconfig --name prod-1234 --role-arn arn:aws:iam::1234:user/chris-devops to get access to the EKS cluster.

When doing anything like: kubectl get ... I get an error of:

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::1234:user/chris-devops is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::1234:user/chris-devops

Why do I get this error? How do I gain access?

I've added the following to the user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": "arn:aws:iam::1234:user/chris-devops"
        }
    ]
}

In addition I also have full Administrator access:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

I've read through: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_cant-assume-role

And my understanding is I'm meeting all the criteria.

try to change "Resource": "arn:aws:iam::1234:user/chris-devops to "Resource":* — Amit Baranes
Thanks - I did actually have that there initially but no no difference. — Chris Stryczynski

marcincuber marcincuber · Accepted Answer · 2019-10-18T08:57:48

Your policy is wrong. User can’t assume another IAM user. It should be something like this:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "sts:AssumeRole"
        ],
        "Resource": "arn:aws:iam::1234:role/prod-Eks-1234-admins"
    }
]
}

EKS not able to authenticate to Kubernetes with Kubectl - “User: is not authorized to perform: sts:AssumeRole”

2 Answers