Ryfujk

Coordinate position not precise

Why Were Madagascar and New Zealand Discovered So Late?

Should my PhD thesis be submitted under my legal name?

Why are on-board computers allowed to change controls without notifying the pilots?

Curses work by shouting - How to avoid collateral damage?

Hide Select Output from T-SQL

Valid Badminton Score?

What is the oldest known work of fiction?

How do we know the LHC results are robust?

Why is `const int& k = i; ++i; ` possible?

The plural of 'stomach"

Is exact Kanji stroke length important?

What't the meaning of this extra silence?

Implement the Thanos sorting algorithm

Failed to fetch jessie backports repository

Is expanding the research of a group into machine learning as a PhD student risky?

How to be diplomatic in refusing to write code that breaches the privacy of our users

At which point does a character regain all their Hit Dice?

How will losing mobility of one hand affect my career as a programmer?

Your magic is very sketchy

What's the purpose of "true" in bash "if sudo true; then"

Efficiently merge handle parallel feature branches in SFDX

Dot above capital letter not centred

Modify casing of marked letters

AWS EKS update-kubeconfig does not respect --role-arn flag

AWS RDS CLI: AccessDenied on CreateDBSnapshotFind minimal policies in AWS that user needsAccess Denied when calling the CreateInvalidation operation on AWS CLIS3 restoration using s3api get-object is not working in aws china regionAdding an AWS account to Stackdriver Premium Monitoring results in a “User is not authorized error”Why does creating a service in AWS ECS require the ecs:CreateService permission on all resources?Unable to update ElasticSearch access policy using AWS CLIAWS could not get token: AccessDenied: User: ARN is not authorized to perform: sts:AssumeRole on resource: Role:ARNAWS IAM - AssumeRole within same account?Unable to list services in AWS EKS

1

Whenever I run the following command with the role that that was used to create the eks cluster...

aws eks update-kubeconfig --name eks-cluster --role-arn arn:aws:iam::999999999999:role/eksServiceRole

... I get the following error:

An error occurred (AccessDeniedException) when calling the DescribeCluster operation: User: arn:aws:iam::111111111111:user/username is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:us-east-1:561353845098:cluster/eks-cluster

Does anybody have any advice on how to go about diagnosing and rectifying this error?

amazon-web-services kubernetes aws-cli

share|improve this question

asked Jan 3 at 21:09

Kurt MuellerKurt Mueller

1064

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Hi, if one of the responses below answered your question please upvote and accept it. That's the ServerFault way of saying Thanks for the time someone took to help you :)
  
  – MLu
  Feb 19 at 20:55
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Still banging my head on this one. That's not to say that I'm not thankful for the time and thought my fellow StackExchange users gave to me... I am very grateful and thankful to them. I upvoted both answers but haven't marked any response as a solution because I still haven't solved this particular problem.
  
  – Kurt Mueller
  Feb 19 at 22:47
  

  
  
  
  

add a comment | 

1

Whenever I run the following command with the role that that was used to create the eks cluster...

aws eks update-kubeconfig --name eks-cluster --role-arn arn:aws:iam::999999999999:role/eksServiceRole

... I get the following error:

An error occurred (AccessDeniedException) when calling the DescribeCluster operation: User: arn:aws:iam::111111111111:user/username is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:us-east-1:561353845098:cluster/eks-cluster

Does anybody have any advice on how to go about diagnosing and rectifying this error?

amazon-web-services kubernetes aws-cli

share|improve this question

asked Jan 3 at 21:09

Kurt MuellerKurt Mueller

1064

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Hi, if one of the responses below answered your question please upvote and accept it. That's the ServerFault way of saying Thanks for the time someone took to help you :)
  
  – MLu
  Feb 19 at 20:55
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Still banging my head on this one. That's not to say that I'm not thankful for the time and thought my fellow StackExchange users gave to me... I am very grateful and thankful to them. I upvoted both answers but haven't marked any response as a solution because I still haven't solved this particular problem.
  
  – Kurt Mueller
  Feb 19 at 22:47
  

  
  
  
  

add a comment | 

Whenever I run the following command with the role that that was used to create the eks cluster...

aws eks update-kubeconfig --name eks-cluster --role-arn arn:aws:iam::999999999999:role/eksServiceRole

... I get the following error:

An error occurred (AccessDeniedException) when calling the DescribeCluster operation: User: arn:aws:iam::111111111111:user/username is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:us-east-1:561353845098:cluster/eks-cluster

Does anybody have any advice on how to go about diagnosing and rectifying this error?

amazon-web-services kubernetes aws-cli

share|improve this question

asked Jan 3 at 21:09

Kurt MuellerKurt Mueller

1064

aws eks update-kubeconfig --name eks-cluster --role-arn arn:aws:iam::999999999999:role/eksServiceRole

An error occurred (AccessDeniedException) when calling the DescribeCluster operation: User: arn:aws:iam::111111111111:user/username is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:us-east-1:561353845098:cluster/eks-cluster

share|improve this question

asked Jan 3 at 21:09

Kurt MuellerKurt Mueller

1064

share|improve this question

asked Jan 3 at 21:09

Kurt MuellerKurt Mueller

1064

asked Jan 3 at 21:09

Kurt MuellerKurt Mueller

1064

asked Jan 3 at 21:09

Kurt MuellerKurt Mueller

1064

3 Answers
3

active

oldest

votes

2

A couple of suggestions that may, or may not help:

• You may include --verbose to your command to perhaps get better details as to where it fails. Could it be that case that the user you are authenticated as are not able to assume the role specified?




• In the manual for aws-cli --role-arn is passed as a string, you should try to encapsulate it with double-quotes:

aws eks update-kubeconfig --name eks-cluster --role-arn "arn:aws:iam::999999999999:role/eksServiceRole"

• 
  

  Try to manually assume the role through aws-cli.

  
  
  
  
  

  1. Verify your current authenticated session:
     aws sts get-caller-identity

  
  

  2. Attempt to assume the role: aws sts assume-role --role-arn "arn:aws:iam::999999999999:role/eksServiceRole" --role-session-name test-eks-role

  
  
  
  

share|improve this answer

answered Jan 4 at 1:44

William SandinWilliam Sandin

64359

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  docs.aws.amazon.com/cli/latest/userguide/… for reference
  
  – Kurt Mueller
  Jan 4 at 19:47
  

  
  
  
  

add a comment | 

1

I'm not that familiar with EKS but I guess the user that you're running the aws eks command as needs privileges to describe the cluster.

Does this run successfully?

~ $ aws eks describe-cluster --name eks-cluster

If not you'll need to check your aws-cli permissions and make that work first.

It's just a guess but hope that helps :)

share|improve this answer

answered Jan 3 at 22:06

MLuMLu

9,24212445

add a comment | 

0

I came up with the same error. But after I updating the correct access key and secret key in the file .aws/credentials, problem was resolved.

Please note that you need to use access key and the secret key of a user who allows to perform AWS EKS realted actions.

share|improve this answer

answered 10 mins ago

user516231user516231

1

New contributor

user516231 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f947523%2faws-eks-update-kubeconfig-does-not-respect-role-arn-flag%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

2

A couple of suggestions that may, or may not help:

• You may include --verbose to your command to perhaps get better details as to where it fails. Could it be that case that the user you are authenticated as are not able to assume the role specified?




• In the manual for aws-cli --role-arn is passed as a string, you should try to encapsulate it with double-quotes:

aws eks update-kubeconfig --name eks-cluster --role-arn "arn:aws:iam::999999999999:role/eksServiceRole"

• 
  

  Try to manually assume the role through aws-cli.

  
  
  
  
  

  1. Verify your current authenticated session:
     aws sts get-caller-identity

  
  

  2. Attempt to assume the role: aws sts assume-role --role-arn "arn:aws:iam::999999999999:role/eksServiceRole" --role-session-name test-eks-role

  
  
  
  

share|improve this answer

answered Jan 4 at 1:44

William SandinWilliam Sandin

64359

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  docs.aws.amazon.com/cli/latest/userguide/… for reference
  
  – Kurt Mueller
  Jan 4 at 19:47
  

  
  
  
  

add a comment | 

2

A couple of suggestions that may, or may not help:

• You may include --verbose to your command to perhaps get better details as to where it fails. Could it be that case that the user you are authenticated as are not able to assume the role specified?




• In the manual for aws-cli --role-arn is passed as a string, you should try to encapsulate it with double-quotes:

aws eks update-kubeconfig --name eks-cluster --role-arn "arn:aws:iam::999999999999:role/eksServiceRole"

• 
  

  Try to manually assume the role through aws-cli.

  
  
  
  
  

  1. Verify your current authenticated session:
     aws sts get-caller-identity

  
  

  2. Attempt to assume the role: aws sts assume-role --role-arn "arn:aws:iam::999999999999:role/eksServiceRole" --role-session-name test-eks-role

  
  
  
  

share|improve this answer

answered Jan 4 at 1:44

William SandinWilliam Sandin

64359

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  docs.aws.amazon.com/cli/latest/userguide/… for reference
  
  – Kurt Mueller
  Jan 4 at 19:47
  

  
  
  
  

add a comment | 

A couple of suggestions that may, or may not help:

• You may include --verbose to your command to perhaps get better details as to where it fails. Could it be that case that the user you are authenticated as are not able to assume the role specified?




• In the manual for aws-cli --role-arn is passed as a string, you should try to encapsulate it with double-quotes:

aws eks update-kubeconfig --name eks-cluster --role-arn "arn:aws:iam::999999999999:role/eksServiceRole"

• 
  

  Try to manually assume the role through aws-cli.

  
  
  
  
  

  1. Verify your current authenticated session:
     aws sts get-caller-identity

  
  

  2. Attempt to assume the role: aws sts assume-role --role-arn "arn:aws:iam::999999999999:role/eksServiceRole" --role-session-name test-eks-role

  
  
  
  

share|improve this answer

answered Jan 4 at 1:44

William SandinWilliam Sandin

64359

share|improve this answer

answered Jan 4 at 1:44

William SandinWilliam Sandin

64359

answered Jan 4 at 1:44

William SandinWilliam Sandin

64359

answered Jan 4 at 1:44

William SandinWilliam Sandin

64359

1

I'm not that familiar with EKS but I guess the user that you're running the aws eks command as needs privileges to describe the cluster.

Does this run successfully?

~ $ aws eks describe-cluster --name eks-cluster

If not you'll need to check your aws-cli permissions and make that work first.

It's just a guess but hope that helps :)

share|improve this answer

answered Jan 3 at 22:06

MLuMLu

9,24212445

add a comment | 

1

I'm not that familiar with EKS but I guess the user that you're running the aws eks command as needs privileges to describe the cluster.

Does this run successfully?

~ $ aws eks describe-cluster --name eks-cluster

If not you'll need to check your aws-cli permissions and make that work first.

It's just a guess but hope that helps :)

share|improve this answer

answered Jan 3 at 22:06

MLuMLu

9,24212445

add a comment | 

I'm not that familiar with EKS but I guess the user that you're running the aws eks command as needs privileges to describe the cluster.

Does this run successfully?

~ $ aws eks describe-cluster --name eks-cluster

If not you'll need to check your aws-cli permissions and make that work first.

It's just a guess but hope that helps :)

share|improve this answer

answered Jan 3 at 22:06

MLuMLu

9,24212445

~ $ aws eks describe-cluster --name eks-cluster

share|improve this answer

answered Jan 3 at 22:06

MLuMLu

9,24212445

answered Jan 3 at 22:06

MLuMLu

9,24212445

answered Jan 3 at 22:06

MLuMLu

9,24212445

0

I came up with the same error. But after I updating the correct access key and secret key in the file .aws/credentials, problem was resolved.

Please note that you need to use access key and the secret key of a user who allows to perform AWS EKS realted actions.

share|improve this answer

answered 10 mins ago

user516231user516231

1

New contributor

user516231 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

0

I came up with the same error. But after I updating the correct access key and secret key in the file .aws/credentials, problem was resolved.

Please note that you need to use access key and the secret key of a user who allows to perform AWS EKS realted actions.

share|improve this answer

answered 10 mins ago

user516231user516231

1

New contributor

user516231 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

I came up with the same error. But after I updating the correct access key and secret key in the file .aws/credentials, problem was resolved.

Please note that you need to use access key and the secret key of a user who allows to perform AWS EKS realted actions.

share|improve this answer

answered 10 mins ago

user516231user516231

1

New contributor

user516231 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this answer

answered 10 mins ago

user516231user516231

1

New contributor

user516231 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 10 mins ago

user516231user516231

1

New contributor

user516231 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 10 mins ago

user516231user516231

1