本文主要是介绍解决AmazonEKSNodeRole创建ALB相关策略 AccessDenied问题,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
问题
Failed deploy model due to AccessDenied: User: arn:aws:sts::XXXXXXX:assumed-role/AmazonEKSNodeRole/i-05dde0c62e7539e0a is not authorized to perform: elasticloadbalancing:AddTags on resource: arn:aws:elasticloadbalancing:ap-east-1:369180331248:targetgroup/k8s-default-nginx-c1368b7102/* because no identity-based policy allows the elasticloadbalancing:AddTags action status code: 403, request id: c34c7eb0-8d66-4f91-ac73-697d709b8e0c
解决办法
重新创建IAM角色
v2.7.2_iam_policy
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": ["iam:CreateServiceLinkedRole"],"Resource": "*","Condition": {"StringEquals": {"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"}}},{"Effect": "Allow","Action": ["ec2:DescribeAccountAttributes","ec2:DescribeAddresses","ec2:DescribeAvailabilityZones","ec2:DescribeInternetGateways","ec2:DescribeVpcs","ec2:DescribeVpcPeeringConnections","ec2:DescribeSubnets","ec2:DescribeSecurityGroups","ec2:DescribeInstances","ec2:DescribeNetworkInterfaces","ec2:DescribeTags","ec2:GetCoipPoolUsage","ec2:DescribeCoipPools","elasticloadbalancing:DescribeLoadBalancers","elasticloadbalancing:DescribeLoadBalancerAttributes","elasticloadbalancing:DescribeListeners","elasticloadbalancing:DescribeListenerCertificates","elasticloadbalancing:DescribeSSLPolicies","elasticloadbalancing:DescribeRules","elasticloadbalancing:DescribeTargetGroups","elasticloadbalancing:DescribeTargetGroupAttributes","elasticloadbalancing:DescribeTargetHealth","elasticloadbalancing:DescribeTags","elasticloadbalancing:DescribeTrustStores"],"Resource": "*"},{"Effect": "Allow","Action": ["cognito-idp:DescribeUserPoolClient","acm:ListCertificates","acm:DescribeCertificate","iam:ListServerCertificates","iam:GetServerCertificate","waf-regional:GetWebACL","waf-regional:GetWebACLForResource","waf-regional:AssociateWebACL","waf-regional:DisassociateWebACL","wafv2:GetWebACL","wafv2:GetWebACLForResource","wafv2:AssociateWebACL","wafv2:DisassociateWebACL","shield:GetSubscriptionState","shield:DescribeProtection","shield:CreateProtection","shield:DeleteProtection"],"Resource": "*"},{"Effect": "Allow","Action": ["ec2:AuthorizeSecurityGroupIngress","ec2:RevokeSecurityGroupIngress"],"Resource": "*"},{"Effect": "Allow","Action": ["ec2:CreateSecurityGroup"],"Resource": "*"},{"Effect": "Allow","Action": ["ec2:CreateTags"],"Resource": "arn:aws:ec2:*:*:security-group/*","Condition": {"StringEquals": {"ec2:CreateAction": "CreateSecurityGroup"},"Null": {"aws:RequestTag/elbv2.k8s.aws/cluster": "false"}}},{"Effect": "Allow","Action": ["ec2:CreateTags","ec2:DeleteTags"],"Resource": "arn:aws:ec2:*:*:security-group/*","Condition": {"Null": {"aws:RequestTag/elbv2.k8s.aws/cluster": "true","aws:ResourceTag/elbv2.k8s.aws/cluster": "false"}}},{"Effect": "Allow","Action": ["ec2:AuthorizeSecurityGroupIngress","ec2:RevokeSecurityGroupIngress","ec2:DeleteSecurityGroup"],"Resource": "*","Condition": {"Null": {"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"}}},{"Effect": "Allow","Action": ["elasticloadbalancing:CreateLoadBalancer","elasticloadbalancing:CreateTargetGroup"],"Resource": "*","Condition": {"Null": {"aws:RequestTag/elbv2.k8s.aws/cluster": "false"}}},{"Effect": "Allow","Action": ["elasticloadbalancing:CreateListener","elasticloadbalancing:DeleteListener","elasticloadbalancing:CreateRule","elasticloadbalancing:DeleteRule"],"Resource": "*"},{"Effect": "Allow","Action": ["elasticloadbalancing:AddTags","elasticloadbalancing:RemoveTags"],"Resource": ["arn:aws:elasticloadbalancing:*:*:targetgroup/*/*","arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*","arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"],"Condition": {"Null": {"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"}}},{"Effect": "Allow","Action": ["elasticloadbalancing:AddTags","elasticloadbalancing:RemoveTags"],"Resource": ["arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*","arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*","arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*","arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"]},{"Effect": "Allow","Action": ["elasticloadbalancing:ModifyLoadBalancerAttributes","elasticloadbalancing:SetIpAddressType","elasticloadbalancing:SetSecurityGroups","elasticloadbalancing:SetSubnets","elasticloadbalancing:DeleteLoadBalancer","elasticloadbalancing:ModifyTargetGroup","elasticloadbalancing:ModifyTargetGroupAttributes","elasticloadbalancing:DeleteTargetGroup"],"Resource": "*","Condition": {"Null": {"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"}}},{"Effect": "Allow","Action": ["elasticloadbalancing:AddTags"],"Resource": ["arn:aws:elasticloadbalancing:*:*:targetgroup/*/*","arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*","arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"],"Condition": {"StringEquals": {"elasticloadbalancing:CreateAction": ["CreateTargetGroup","CreateLoadBalancer"]},"Null": {"aws:RequestTag/elbv2.k8s.aws/cluster": "false"}}},{"Effect": "Allow","Action": ["elasticloadbalancing:RegisterTargets","elasticloadbalancing:DeregisterTargets"],"Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"},{"Effect": "Allow","Action": ["elasticloadbalancing:SetWebAcl","elasticloadbalancing:ModifyListener","elasticloadbalancing:AddListenerCertificates","elasticloadbalancing:RemoveListenerCertificates","elasticloadbalancing:ModifyRule"],"Resource": "*"}]
}
将文件中的以下部分"aws:RequestTag/elbv2.k8s.aws/cluster": "true",删除即可
"Condition": {"Null": {-"aws:RequestTag/elbv2.k8s.aws/cluster": "true","aws:ResourceTag/elbv2.k8s.aws/cluster": "false"}}
重新创建,创建好了后替换原来加入eksnode的角色中
这篇关于解决AmazonEKSNodeRole创建ALB相关策略 AccessDenied问题的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
