Problem:
Cannot execute kubectl get <something>
Error:
error: the server doesn't have a resource type "something"
OR
Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
OR
could not get token: AccessDenied: Access denied status code: 403
Solution:
When you create the cluster you were using eksworkshop-admin
role.
Edit trust relationship of eksworkshop-admin
role, and add something like "AWS": "arn:aws:iam::XXXXXXXXXXXX:user/<USERNAME>"
in the Principal
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com",
"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/admin"
},
"Action": "sts:AssumeRole"
}
]
}
$ aws sts assume-role --role-arn arn:aws:iam::XXXXXXXXXXXX:role/eksworkshop-admin --role-session-name test
{
"AssumedRoleUser": {
"AssumedRoleId": "XXXXXXXXXXXX:test",
"Arn": "arn:aws:sts::XXXXXXXXXXXX:assumed-role/eksworkshop-admin/test"
},
"Credentials": {
"SecretAccessKey": "4kS0Yn7/e77Mv1lvJDvJYMPXjIyILFhQm1qC6Hx5",
"SessionToken": "FQoGZXIvYXdzEBgaDMPJZu+rSo2iwPcbbSLoAbhpXvv3bWLlUcA+rydR0UDXvoQWxCHXY4tKidh+6UQ2KfFn/TU3nMfT84bPrnwTuMqCB/VUl8r319r9sA152KeR6igLkpj7Gkl5AXhvbceCoMy+9E3gSlgyyvbsNquZkVmnOb7cTJOTxChsl3y3ATvES87GAa8k4rSMcBJPawcvoLu8dDFrHL4KQzxINJHB3iaiHamMB48lB8e9O4QANj8qfnD2U9jcLhG8DYqPEi+gfA9LK9kNQlw0dyOX2MoM5Joy4sXzY9B+4ZJsEHeAxCNfavO7Y+TA45ONiSv/qKw9LcSP/qZHrGwo6PK75gU=",
"Expiration": "2019-05-05T15:55:36Z",
"AccessKeyId": "ASIA2HBXB5ZZONJQUD6Y"
}
}
https://medium.com/@ngocson2vn/how-to-fix-the-error-an-error-occurred-accessdenied-when-calling-the-assumerole-operation-e85f0152daca
https://github.com/kubernetes-sigs/aws-iam-authenticator/blob/master/README.md
https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/
https://serverfault.com/questions/956265/unable-to-list-services-in-aws-eks