I have a role which has full previlege to access EKS, Ec2, IAM which is attached to an Ec2 Instance.

I am trying to access my EKS cluster from this Ec2 Instance. I did add the Ec2 instance arn like below to the Trusted relationship of the role which the instance assumes as well. However still I get the error like below when trying to access the cluster using kubectl from cli inside the Ec2 instance.

I have tried below to obtain the kube config written to the instance hoe directory from which I execute these commands.

aws sts get-caller-identity

$ aws eks update-kubeconfig --name eks-cluster-name --region aws-region --role-arn arn:aws:iam::XXXXXXXXXXXX:role/testrole

Error I get:

error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::769379794363:assumed-role/dev-server-role/i-016d7738c9cb84b96 is not authorized to perform: sts:AssumeRole on resource xxx

CodePudding user response：

You need to establish trust relationship , Go to I AM role and click trust relationship and add following JSON

Replace XXXXXXXXXXXX with your account id

            {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Principal": {
                    "AWS": [
                      "arn:aws:iam::XXXXXXXXXXXX:root",
                    ]
                  },
                  "Action": "sts:AssumeRole"
                }
              ]
            }

CodePudding user response：

Community wiki answer for better visibility.

The problem is solved by taking a good tip from the comment:

Don't specify role-arn if you want it to use the instance profile.

OP has confirmed:

thanks @jordanm that helped