我正在尝试访问由角色(称为 OwnerRole)拥有的 EKS 集群。要切换到此角色,授权用户必须使用 MFA 进行身份验证。
以下是我系统中的相关配置: .aws/配置
[profile AuthorizedUser]
region = us-east-1
output = json
mfa_serial = <ARN of the user's MFA device>
[profile RoleProfileUsedByKubectl]
source_profile = AuthorizedUser
role_arn = <ARN of the OwnerRole role>
这是 kubectl 配置的相关部分
- name: <username in context>
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- --region
- us-east-1
- eks
- get-token
- --cluster-name
- <name of the cluster>
command: aws
env:
- name: AWS_PROFILE
value: RoleProfileUsedByKubectl
interactiveMode: IfAvailable
provideClusterInfo: false
然而,这就是正在发生的事情。
当我跑步时:
$ kubectl config use-context <context name>
Switched to context "<context name>"
$
$ kubectl get po -A
An error occurred (AccessDenied) when calling the AssumeRole operation: User: <user ARN> is not authorized to perform: sts:AssumeRole on resource: <role ARN>
....
<repeat 4 more times>
....
Unable to connect to the server: getting credentials: exec: executable aws failed with exit code 254
我认为这是因为当我切换上下文时,它应该首先使用 AuthorizedUser 配置文件并向我询问 MFA 令牌,但事实并非如此。因此,它只是以没有 MFA 令牌的 AuthorizedUser 身份登录,并尝试承担 OwnerRole - 由于缺乏 MFA,该角色被拒绝。
但是,如果我如下稍微调整 .aws 配置(将 mfa_serial 的位置更改为角色配置文件),至少 AWS 命令可以工作,但 kubectl 不行:
[profile AuthorizedUser]
region = us-east-1
output = json
[profile RoleProfileUsedByKubectl]
source_profile = AuthorizedUser
mfa_serial = <ARN of the user's MFA device>
role_arn = <ARN of the OwnerRole role>
$ aws eks list-nodegroups --cluster-name <cluster name> --region us-east-1 --profile RoleProfileUsedByKubectl
Enter MFA code for <MFA ARN>:
{
"nodegroups": [
"<node group name list>"
]
}
$
$ kubectl get po -A
Unable to connect to the server: dial tcp 172.16.88.123:443: i/o timeout
$
这可能是因为防火墙或安全组阻止了 kubectl 的访问吗?请指教。
这最终对我有用:
.kube/config
users:
- name: <username listed in context>
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- --region
- us-east-1
- eks
- get-token
- --cluster-name
- <clustername>
command: aws
env:
- name: AWS_PROFILE
value: <aws_profile_name>
interactiveMode: IfAvailable
provideClusterInfo: false
.aws/config
[profile <base_profile>]
region = us-east-1
output = json
[profile <aws_profile_name>]
source_profile = <base_profile>
mfa_serial = <arn of mfa>
role_arn = <arn of target role that needs mfa>
role_session_name = <optional_but_easy_to_identify_in_logs>
现在,每次我尝试切换上下文时,它都会提示我进行 MFA 并顺利切换。