我正在尝试在 cert-manager 的帮助下将证书添加到我的 kubernetes 集群,但是出现以下错误。
cert-manager-challenges Error presenting challenge: error instantiating route53 challenge solver: unable to assume role: AccessDenied: User: arn:aws:iam::<ACCOUNT-ID>:user/route53-user is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<ACCOUNT-ID>:role/route53role
角色附带的政策
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "route53:GetChange",
"Resource": "arn:aws:route53:::change/*"
},
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets"
],
"Resource": "arn:aws:route53:::hostedzone/*"
},
{
"Effect": "Allow",
"Action": "route53:ListHostedZonesByName",
"Resource": "*"
},
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "*"
}
]
}
角色信任关系
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
如果您在 ClusterIssuer 资源中指定
role solvers:
- dns01:
route53:
region: us-west-2
# role: my-role
这可能是由 AWS here 记录的 sts:AssumeRole 行为发生变化引起的。正如 @Andrew 指出的,指定一个角色会导致发生 sts:AssumeRole 操作,但如果当前角色没有权限承担新角色(甚至是已经存在的相同角色),那么该操作将会失败。我们发现我们必须编辑角色的信任关系以允许 sts:AssumeRole 对其自身。这曾经是隐式许可。该文档解释了更改。