I have a setup of EKS Cluster and I am trying to access some of the secrets available in my AWS Secrets manager, Currently i have given permissions to one ROLE (AWS-IAM) to access all the required secrets and i am using below k8s manifest and i am getting below error.
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: spark-pi
namespace: spark-pi
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::XXXXXXXXXXX:role/spark-secret-role
automountServiceAccountToken: true
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: spark-pi-role
namespace: spark-pi
rules:
- apiGroups: [""]
resources: ["pods", "services", "configmaps"]
verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: spark-pi-role-binding
namespace: spark-pi
subjects:
- kind: ServiceAccount
name: spark-pi
namespace: spark-pi
roleRef:
kind: Role
name: spark-pi-role
apiGroup: rbac.authorization.k8s.io
I am able to Submit Spark Job Successfully, but i am getting below Error while checking POD logs. User: arn:aws:sts::XXXXXXXXXXXX:assumed-role/eks-node-role/i-0XXXXXXXXXXX is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-west-2:XXXXXXXXXX:secret:dev/somesecret (Service: AWSSecretsManager; Status Code: 400; Error Code: AccessDeniedException;
Not Sure why it is assuming EKS-Node Role, when i have attached Required Role and Permissions to Service Account, also i have already created Managed Policy (Attached to Role) to access AWS Secrets.
