
NOTE: similar question asked here, but no proper solution provided.

I setted up an EKS cluster via eksctl tool with single EC2 node. Deploy a Pod inside the EC2 node, this Pod writes the logs into s3 bucket. All worked fine when I used IAM user with key and secret. But now I want this Pod to use IAM Role instead. This Pod uses a newly created role with AmazonS3FullAccess permissions named prod-airflow-logs. According to the Docs, I also added "ec2.amazonaws.com" in this role's trust Relationship as follows;

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": {
        "Service": [
      "Action": "sts:AssumeRole"

EC2 Node has its own Role named eksctl-prod-eks-nod-NodeInstanceRole-D4JQ2Q6D9GDA. If I understand correct, this role has to assume role prod-airflow-logs in order to allow container Pod to access and store logs in s3. According to the same Docs, I attached an in-line policy in this Node Role as follows;

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
            "Resource": "*"

But I still get following error in kubernetes pod when it tried to store logs on s3;

botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::XXXXXXX:assumed-role/eksctl-prod-eks-nod-NodeInstanceRole-D4JQ2Q6D9GDA/i-0254e5b5b36e58f79 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXXX:role/prod-airflow-logs

The only thing I don't understand from this error is, which user is it referring to ? Where on earth is this user User: arn:aws:sts::XXXXXXX:assumed-role/eksctl-prod-eks-nod-NodeInstanceRole-D4JQ2Q6D9GDA/i-0254e5b5b36e58f79 ? Would appreciate if someone could point out what exactly I am missing here.


1 Answers


No answer yet... Here is how I made this work, I had to add the arn of Node Role into the trust policy of Pod Execution role. In my case, the Pod execution role is prod-airflow-logs and the Node Role is eksctl-prod-eks-nod-NodeInstanceRole-D4JQ2Q6D9GDA.

The trust relationship of Pod execution has to be as follows;

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::XXXXXXX:role/eksctl-prod-eks-nod-NodeInstanceRole-D4JQ2Q6D9GDA"
      "Action": "sts:AssumeRole"