You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Error: Get "https://4BEF2107D872F8E1B7749B06522FF05D.yl4.us-east-2.eks.amazonaws.com/api?timeout=32s": getting credentials: exec: executable aws failed with exit code 254
When I inspect the debug log I can see that the get-token command in the kubeconfig produced by the module is causing my role to try to assume itself, which can be reproduced by running:
$ aws eks get-token --cluster-name foo-apps-us-east-2 --role arn:aws:iam::123456789:role/foo-ci-pr
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::123456789:assumed-role/foo-ci-pr/my-session is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789:role/foo-ci-pr
$ echo $?
254
Debug log
2021-05-02T08:45:04.594Z [WARN] Provider "provider[\"registry.terraform.io/hashicorp/template\"]" produced an unexpected new value for module.eks_foo.module.cluster.module.cluster_services.data.template_file.kubeconfig.
- .rendered: was cty.StringVal("apiVersion: v1\nclusters:\n- cluster:\n server: https://ABC123.yl4.us-east-2.eks.amazonaws.com\n certificate-authority-data: bla=\n name: foo-apps-us-east-2\ncontexts:\n- context:\n cluster: foo-apps-us-east-2\n user: foo-apps-us-east-2\n name: foo-apps-us-east-2\ncurrent-context: foo-apps-us-east-2\nkind: Config\npreferences: {}\nusers:\n- name: foo-apps-us-east-2\n user:\n exec:\n apiVersion: client.authentication.k8s.io/v1alpha1\n command: aws\n args:\n - \"eks\"\n - \"get-token\"\n - \"--cluster-name\"\n - \"foo-apps-us-east-2\"\n \n - \"--role\"\n - \"arn:aws:iam::123456789:role/infra-automation\"\n \n"), but now cty.StringVal("apiVersion: v1\nclusters:\n- cluster:\n server: https://ABC123.yl4.us-east-2.eks.amazonaws.com\n certificate-authority-data: blah=\n name: foo-apps-us-east-2\ncontexts:\n- context:\n cluster: foo-apps-us-east-2\n user: foo-apps-us-east-2\n name: foo-apps-us-east-2\ncurrent-context: foo-apps-us-east-2\nkind: Config\npreferences: {}\nusers:\n- name: foo-apps-us-east-2\n user:\n exec:\n apiVersion: client.authentication.k8s.io/v1alpha1\n command: aws\n args:\n - \"eks\"\n - \"get-token\"\n - \"--cluster-name\"\n - \"foo-apps-us-east-2\"\n \n - \"--role\"\n - \"arn:aws:iam::123456789:role/infra-ci-pr\"\n \n")
- .id: was cty.StringVal("abc123"), but now cty.StringVal("def456")
My plans fail with a bunch of lines like:
When I inspect the debug log I can see that the
get-token
command in the kubeconfig produced by the module is causing my role to try to assume itself, which can be reproduced by running:Debug log
The generated config itself:
Provider config
This is running on an ec2 instance with the role
foo-ci-pr
, so is obtaining credentials via theEc2InstanceMetadata
endpoint.Workarounds
Planning works if grant the IAM role permission to assume itself.
It also works if I manually remove this block from
./.terraform/modules/eks_foo/aws/_modules/eks/templates/kubeconfig.tpl
:The text was updated successfully, but these errors were encountered: