I tried to run the command kubectl get svc and I get into this error
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::0123456789:user/temp is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::0123456789:user/temp
The following json is the IAM of user temp
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "eks:DescribeCluster",
"Resource": "arn:aws:eks:ap-southeast-1:0123456789:cluster/cluster1"
}
]
}
This could happen if your .kube/config looks like:
- name: arn:aws:eks:us-west-2:111122223333:cluster/integ
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- us-west-2
- eks
- get-token
- --cluster-name
- integ
- --role
- arn:aws:iam::111122223333:user/temp
command: aws
The key part here is the --role ...user/temp part. Which tells the aws eks get-token command to first assumeRole before it tries to get the token.
So if your AWS client / setup has already assumed the role in question, it will then try to assume the role again when trying to get the EKS login token. So unless you've added permission for the role to assume itself (which would be silly, but helps workaround this particular issue) then you will see the error.
The fix is to either not assume the role first in your client, or to take the --role .../temp out of your .kube/config.