I am trying to deploy an ECR image on EKS using CodeBuild.
This is my build:
<code>version: 0.2
phases:
build:
commands:
- aws sts get-caller-identity
- echo Deploying to Amazon EKS...
- aws eks --region eu-north-1 update-kubeconfig --name my-eks-cluster --role-arn arn:aws:iam::<ACCOUNT-ID>:role/ecr2eks_diy
- kubectl apply -f ../kubernetes
</code>
<code>version: 0.2
phases:
build:
commands:
- aws sts get-caller-identity
- echo Deploying to Amazon EKS...
- aws eks --region eu-north-1 update-kubeconfig --name my-eks-cluster --role-arn arn:aws:iam::<ACCOUNT-ID>:role/ecr2eks_diy
- kubectl apply -f ../kubernetes
</code>
version: 0.2
phases:
build:
commands:
- aws sts get-caller-identity
- echo Deploying to Amazon EKS...
- aws eks --region eu-north-1 update-kubeconfig --name my-eks-cluster --role-arn arn:aws:iam::<ACCOUNT-ID>:role/ecr2eks_diy
- kubectl apply -f ../kubernetes
Here are some logs:
Running command aws sts get-caller-identity
<code>{
"UserId": "<USER-ID>",
"Account": "<ACCOUNT-ID>",
"Arn": "arn:aws:sts::<ACCOUNT-ID>:assumed-role/ecr2eks_diy/AWSCodeBuild-410d9d6f-6c36-4106-a6d0-a1959c1ae814"
}
</code>
<code>{
"UserId": "<USER-ID>",
"Account": "<ACCOUNT-ID>",
"Arn": "arn:aws:sts::<ACCOUNT-ID>:assumed-role/ecr2eks_diy/AWSCodeBuild-410d9d6f-6c36-4106-a6d0-a1959c1ae814"
}
</code>
{
"UserId": "<USER-ID>",
"Account": "<ACCOUNT-ID>",
"Arn": "arn:aws:sts::<ACCOUNT-ID>:assumed-role/ecr2eks_diy/AWSCodeBuild-410d9d6f-6c36-4106-a6d0-a1959c1ae814"
}
Running command kubectl apply -f ../kubernetes
<code>An error occurred (AccessDenied) when calling the AssumeRole operation: User: <USER-ID> is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<ACCOUNT-ID>:role/ecr2eks_diy
Unable to connect to the server: getting credentials: exec: executable aws failed with exit code 254
</code>
<code>An error occurred (AccessDenied) when calling the AssumeRole operation: User: <USER-ID> is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<ACCOUNT-ID>:role/ecr2eks_diy
Unable to connect to the server: getting credentials: exec: executable aws failed with exit code 254
</code>
An error occurred (AccessDenied) when calling the AssumeRole operation: User: <USER-ID> is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<ACCOUNT-ID>:role/ecr2eks_diy
Unable to connect to the server: getting credentials: exec: executable aws failed with exit code 254
My CodeBuild uses the custom role ecr2eks_diy.
It has AdministratorAccess.
It has the following trust policy:
<code>{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT-ID>:user/<USERNAME>"
},
"Action": "sts:AssumeRole"
}
]
}
</code>
<code>{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT-ID>:user/<USERNAME>"
},
"Action": "sts:AssumeRole"
}
]
}
</code>
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT-ID>:user/<USERNAME>"
},
"Action": "sts:AssumeRole"
}
]
}
My also has AdministratorAccess.
It also has the following inline permit:
<code>{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<ACCOUNT-ID>:role/ecr2eks_diy"
}
]
}
</code>
<code>{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<ACCOUNT-ID>:role/ecr2eks_diy"
}
]
}
</code>
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<ACCOUNT-ID>:role/ecr2eks_diy"
}
]
}
In my EKS i have enabled the authentication method EKS-API.
I have 2 entriein the IAM-Prinzipal-ARN:
arn:aws:iam::<ACCOUNT-ID>:role/ecr2eks_diy and arn:aws:iam::<ACCOUNT-ID>:user/<USERNAME>