创建 EKS 集群时出现 OpenIDC 错误
0
【以下的问题经过翻译处理】 我正在从头开始创建 EKS 集群,但每次创建时都会出现以下错误: 2023-03-28 15:08:05 [✖] 创建 OIDC 提供商:操作错误 IAM:
CreateOpenIDConnectProvider, https response error StatusCode: 403, RequestID: bacf7543-bfe0-4b1c-982e-a81e61cef1c7, api error AccessDenied: User: arn:aws:sts::*:assumed-role/DEV-EC2-JenkinsMaster-Instance/i-09f8b9ad4eb5hhh09 is not authorized to perform: iam:TagOpenIDConnectProvider on resource: arn:aws:iam::*:oidc-provider/oidc.eks.us-east-1.amazonaws.com because no identity-based policy allows the iam:TagOpenIDConnectProvider action
经过大量的努力和寻找,我发现了我已经制定的以下策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:DeleteInternetGateway",
"Resource": "arn:aws:ec2:*:*:internet-gateway/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:ModifyListener",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DescribeInstances",
"ec2:AttachInternetGateway",
"ec2:DeleteRouteTable",
"ec2:RevokeSecurityGroupEgress",
"ec2:CreateRoute",
"ec2:CreateInternetGateway",
"ec2:DescribeVolumes",
"ec2:DeleteInternetGateway",
"ec2:DescribeKeyPairs",
"iam:GetRole",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
"ec2:ImportKeyPair",
"ec2:CreateTags",
"elasticloadbalancing:CreateTargetGroup",
"ecr:GetAuthorizationToken",
"ec2:RunInstances",
"ec2:DisassociateRouteTable",
"ec2:CreateVolume",
"ec2:RevokeSecurityGroupIngress",
"elasticloadbalancing:AddTags",
"ec2:DescribeImageAttribute",
"elasticloadbalancing:DeleteLoadBalancerListeners",
"ec2:DeleteNatGateway",
"autoscaling:DeleteAutoScalingGroup",
"ec2:CreateSubnet",
"ec2:DescribeSubnets",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"ecr:InitiateLayerUpload",
"ec2:AttachVolume",
"ec2:CreateNatGateway",
"ec2:CreateVpc",
"ecr:ListImages",
"ec2:DescribeVpcAttribute",
"ec2:ModifySubnetAttribute",
"autoscaling:DescribeScalingActivities",
"ec2:DescribeAvailabilityZones",
"ssm:GetParametersByPath",
"elasticloadbalancing:CreateLoadBalancerPolicy",
"ec2:ReleaseAddress",
"ec2:DeleteLaunchTemplate",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:DeleteTargetGroup",
"ec2:DescribeSecurityGroups",
"autoscaling:CreateLaunchConfiguration",
"ec2:CreateLaunchTemplate",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
"ec2:DescribeVpcs",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DetachLoadBalancerFromSubnets",
"ec2:DeleteSubnet",
"elasticloadbalancing:RegisterTargets",
"ec2:DescribeVolumesModifications",
"ssm:GetParameter",
"ec2:AssociateRouteTable",
"elasticloadbalancing:DeleteLoadBalancer",
"ec2:DescribeInternetGateways",
"elasticloadbalancing:DescribeLoadBalancers",
"ec2:DeleteVolume",
"ssm:DeleteParameter",
"ssm:DescribeParameters",
"autoscaling:DescribeAutoScalingGroups",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"autoscaling:UpdateAutoScalingGroup",
"ec2:DescribeAccountAttributes",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"ec2:DescribeRouteTables",
"ecr:BatchCheckLayerAvailability",
"ec2:DetachVolume",
"ec2:ModifyVolume",
"ec2:DescribeLaunchTemplates",
"ecr:GetDownloadUrlForLayer",
"ec2:CreateRouteTable",
"cloudformation:*",
"elasticloadbalancing:DeregisterTargets",
"ec2:DetachInternetGateway",
"ssm:GetParameters",
"ssm:DeleteParameters",
"ecr:PutImage",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"ssm:PutParameter",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ec2:DeleteVpc",
"eks:*",
"autoscaling:CreateAutoScalingGroup",
"ec2:DescribeAddresses",
"ec2:DeleteTags",
"elasticloadbalancing:ConfigureHealthCheck",
"autoscaling:DescribeLaunchConfigurations",
"ec2:DescribeDhcpOptions",
"ecr:UploadLayerPart",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:DescribeListeners",
"ec2:DescribeNetworkInterfaces",
"ec2:CreateSecurityGroup",
"ecr:CompleteLayerUpload",
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
"kms:DescribeKey",
"ecr:DescribeRepositories",
"ec2:ModifyVpcAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:AuthorizeSecurityGroupEgress",
"elasticloadbalancing:AttachLoadBalancerToSubnets",
"ec2:DescribeTags",
"ssm:GetParameterHistory",
"ec2:DeleteRoute",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeNatGateways",
"elasticloadbalancing:CreateLoadBalancerListeners",
"ec2:AllocateAddress",
"ec2:DescribeImages",
"autoscaling:DeleteLaunchConfiguration",
"ec2:DeleteSecurityGroup",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:ModifyTargetGroup"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
}
}
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetRole",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:ListInstanceProfiles",
"iam:AddRoleToInstanceProfile",
"iam:CreateOpenIDConnectProvider",
"iam:ListInstanceProfilesForRole",
"iam:PassRole",
"iam:CreateServiceLinkedRole",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:DeleteRolePolicy",
"iam:DeleteServiceLinkedRole",
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:iam::*:instance-profile/eksctl-*",
"arn:aws:iam::*:role/eksctl-*",
"arn:aws:iam::*:role/aws-service-role/eks.amazonaws.com/*",
"arn:aws:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/*",
"arn:aws:iam::*:oidc-provider/*"
]
},
{
"Sid": "VisualEditor4",
"Effect": "Allow",
"Action": "iam:GetOpenIDConnectProvider",
"Resource": "arn:aws:iam::*:oidc-provider/oidc.eks.eu-west-1.amazonaws.com/*"
}
]
}
那我错过了什么?
1 回答
- 最新
- 投票最多
- 评论最多
这些答案有用吗?为正确答案投票,以帮助社区从您的知识中受益。
0
【以下的回答经过翻译处理】 你好,Systemgeek,
根据所发布的错误消息,看起来操作失败是因为你的IAM角色 DEV-EC2-JenkinsMaster-Instance
没有执行 iam:TagOpenIDConnectProvider
操作的权限。
在提供的策略声明中,不允许执行 iam:TagOpenIDConnectProvider
操作。要解决这个问题,请将该操作添加到你的IAM策略中,然后重新执行操作。
有关使用eksctl CLI创建EKS集群所需的最小IAM策略的更多信息,请访问https://eksctl.io/usage/minimum-iam-policies/
希望这可以帮助到你!
相关内容
- AWS 官方已更新 1 年前
- AWS 官方已更新 1 年前
- AWS 官方已更新 3 个月前
- AWS 官方已更新 1 年前