external-dns in Kubernetes cluster not authorized to list hosted zones error - kubernetes

I have installed external-dns using bitnami helm chart with version 6.10.2.
I have created IAM policy to give permissions to list Route53 hosted zones.
IAM policy
{
"Statement": [
{
"Action": [
"route53:ListHostedZones",
"route53:ListResourceRecordSets"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"route53:ChangeResourceRecordSets"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
],
"Version": "2012-10-17"
}
IAM policy is also mapped to serviceaccount
eksctl get iamserviceaccount --cluster=testcluster --namespace add-ons
NAMESPACE NAME ROLE ARN
add-ons external-dns arn:aws:iam::442355839237:role/eksctl-testcluster-addon-iamserviceaccount-ad-Role1-6AV1JQ2NPCMO
OIDC is already enabled
eksctl utils associate-iam-oidc-provider --cluster=testcluster
2022-10-17 14:31:13 [ℹ] IAM Open ID Connect provider is already associated with cluster "testcluster" in "us-west-2"
However I still see the error in external-dns pod that it is unable to list the hosted zones.
7T21:24:03Z" level=error msg="records retrieval failed: failed to list hosted zones: AccessDenied: User: arn:aws:sts::442355839237:assumed-role/workers-eks-node-group-20221013233723853600000005/i-0a1b8a914bcff1436 is not authorized to perform: route53:ListHostedZones because no identity-based policy allows the route53:ListHostedZones action\n\tstatus code: 403, request id: a8f86d66-d7af-4bd0-975c-6f99d1134d50"
Strangely..it is also showing "User: arn:aws:sts::442355839237:assumed-role/workers-eks-node-group-20221013233723853600000005/i-0a1b8a914bcff1436" workers-eks-node-group in the role name instead of the role arn:aws:iam::442355839237:role/eksctl-testcluster-addon-iamserviceaccount-ad-Role1-6AV1JQ2NPCMO which maps the service account with Route53 permissions.
Any pointers on why it is failing?arn:aws:iam::442355839237:role/eksctl-testcluster-addon-iamserviceaccount-ad-Role1-6AV1JQ2NPCMO


I have fixed this..
changeresourcerecordsets need to be specific with arns of hosted zones instead of "*"
https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#iam-policy
data "aws_iam_policy_document" "external_dns" {
count = var.create_role && var.attach_external_dns_policy ? 1 : 0
statement {
actions = ["route53:ChangeResourceRecordSets"]
resources = var.external_dns_hosted_zone_arns
}
statement {
actions = [
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
]
resources = ["*"]
}
}

Related

Unable to connect to sts endpoint url

I have setup EKS cluster and have configured the OIDC. I have then created the IAM role with the below trust relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<account-id>:oidc-provider/oidc.eks.ap-south-1.amazonaws.com/id/55A76A4197643C67E88FD47738722195"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.ap-south-1.amazonaws.com/id/55A76A4197643C67E88FD47738722195:sub": "system:serviceaccount:default:aws-test",
"oidc.eks.ap-south-1.amazonaws.com/id/55A76A4197643C67E88FD47738722195:aud": "sts.amazonaws.com"
}
}
}
]
}
When I use the service account in the pod, and from within the Pod, when I run the aws s3 ls, I am getting the below error:
Could not connect to the endpoint URL: "https://sts.ap-south-1.amazonaws.com/"
How to troubleshoot this error

EFS policy with Identifier other than * not working in EKS

I have an EFS policy statement attached as below,
policy_statements = [
{
sid = "${var.cluster_name}"
actions = ["elasticfilesystem:ClientMount",
"elasticfilesystem:ClientRootAccess",
"elasticfilesystem:ClientWrite"]
principals = [
{
type = "AWS"
identifiers = ["arn:aws:iam::xxxx:role/efs-test-role"]
}
]
}
]
If I use "*" for Identifier it works.
I tried to create the role arn:aws:iam::xxxx:role/efs-test-role with oidc Federation,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::xxxx:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/xxxx"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.us-west-2.amazonaws.com/id/xxxx:aud": "sts.amazonaws.com"
}
}
}
]
}
I created a ServiceAccount with annotation with this role,
eks.amazonaws.com/role-arn: arn:aws:iam::xxxx:role/efs-test-role
When I created pods with EFS volume mount using Persistant volume, got error as,
Output: Could not start amazon-efs-mount-watchdog, unrecognized init system "aws-efs-csi-dri"
b'mount.nfs4: access denied by server while mounting 127.0.0.1:/'
I even tried to follow https://docs.amazonaws.cn/en_us/efs/latest/ug/manage-efs-utils-with-aws-sys-manager.html#configure-sys-mgr-iam-instance-profile to add AmazonElasticFileSystemsUtils to EKS worker nodes instance profiles. But it still threw same error..
I am not sure what I am missing. Please advice.

Invoke API failed when trying to invoke AWS Lambda in Aurora Postgresql database

I created an AWS Lambda function that I want to call from an event trigger in my Aurora PostgreSQL database, but I'm having trouble even calling the Lambda function at all from within pgAdmin.
When I attempt to invoke the Lambda, I get this message:
ERROR: invoke API failed
DETAIL: AWS Lambda client returned 'User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/AuroraLambdaInvoker/dbc-role-mem-id-null is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-west-2:xxxxxxxxxxxxx:function:aws_lambda_arn_1 because no identity-based policy allows the lambda:InvokeFunction action'.
SQL state: XX000
But I have an IAM role (that I named AuroraLambdaInvoker) that gives the lambda:InvokeFunction permission attached to my database cluster. Here's the policy attached to that role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-west-2:xxxxxxxxxxx:function:TestLambda"
}
]
}
I'm not sure what to do since, the error message specifically mentions the AuroraLambdaInvoker role I created but says "no identity-based policy allows the lambda:InvokeFunction action," which is literally the only permission I have attached to that role. Is there something simple here that I'm missing for some reason?

Can you add below permission to your Action and try ?
lambda:InvokeFunction
lambda:InvokeFunctionConfiguration
lambda:GetFunctionConfiguration
or you can try with this also
"lambda:*"
Full Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"lambda:*"
],
"Resource": [
"arn:aws:lambda:us-west-2:xxxxxxxxxxx:function:TestLambda"
],
"Effect": "Allow"
}
]
}

AWS IAM createrole is denied despite giving the right permission to the user

I have given my user role following custom permission
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iam:CreateRole",
"Resource": "*"
}
]
}
And when this user is deploying a cloudformation stack which creates an IAM role, I get following error message
failed to create CloudFormation stack, rollback requested (ROLLBACK_COMPLETE):
["The following resource(s) failed to create: [SecretsManagerRDSPostgreSQLRotationSingleUserRole].
Rollback requested by user." "API: iam:CreateRole User: arn:aws:iam::account:user/username
is not authorized to perform:
iam:CreateRole on resource: arn:aws:iam::account:role/role_name
with an explicit deny in an identity-based policy"

AWS cross account Postgres RDS IAM authentication

I am trying to set up cross account Postgres RDS IAM authentication. My use case is a python code that is containerized and executed by AWS Batch on the top of the ECS engine connects to the Postgres RDS in another AWS account. I tried to follow the route (single role in the account where DB connection is originated) that is described here but the connection fails with:
2020-06-12 19:41:10,363 - root - ERROR - Error reading data from data DB: FATAL: PAM authentication failed for user "db_user"
I also found this one and tried to set up something similar (a role per respective account but no EC2 instance as a connection source). Unfortunately it failed with the same error. Does anyone know any other AWS documentation that might match my use case?

I managed to sort it out with help of AWS support folks. These are the actions that I had to do:
Add the following policy to the IAM role applied to AWS Batch job (AWS account A):
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT_B_ID:role/ecsTaskExecutionRole"
}
}
With a following trust policy:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Add the following IAM role within the AWS account that is used for RDS hosting (AWS account B):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:<region>:ACCOUNT_B_ID:dbuser:{rds-resource-id}/{batch-user}"
]
}
]
}
With a following trust policy:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_A_ID:root",
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Update the code that is executed within the AWS Batch container:
sts_client = boto3.client('sts')
assumed_role_object=sts_client.assume_role(
RoleArn="arn:aws:iam::ACCOUNT_B_ID:role/ROLE_TO_BE_ASSUMED",
RoleSessionName="AssumeRoleSession1"
)
credentials=assumed_role_object['Credentials']
client = boto3.client(
'rds',
aws_access_key_id=credentials['AccessKeyId'],
aws_secret_access_key=credentials['SecretAccessKey'],
aws_session_token=credentials['SessionToken'],
region_name=REGION )
#client = boto3.client('rds')
token = client.generate_db_auth_token(DBHostname=ENDPOINT, Port=PORT, DBUsername=USR, Region=REGION)