Коллеги, выручайте: не получается заставить работать CI пользователя в EKS
Делаю по воркшопу
https://www.eksworkshop.com/beginner/091_iam-groups/intro/ - создал роль/группу/пользователя в IAM. Создал роль/рольбиндинг в кубере, обновил конфиг мапу aws-auth.
В cubeconfig файле добавил в секцию с aws-iam-authenticator:
- "r"
- "arn:aws:iam::<reducted>:role/k8sCiRole"
env:
- name: AWS_PROFILE
value: "ci"
Профайл ci добавил в ~/.aws/config | ~/.aws/credentials.
Если запускаю локально
KUBECONFIG=config helm -n namespace list, то все отрабатывает
Если запускаю в контейнере (делаю там экспорт переменных AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY), то получаю
I0406 08:21:43.718035 3118 loader.go:379] Config loaded from file: config
I0406 08:21:43.718460 3118 loader.go:379] Config loaded from file: config
I0406 08:21:43.720935 3118 round_trippers.go:425] curl -k -v -XGET -H "Accept: application/json, */*" -H "User-Agent: helm/v0.0.0 (linux/amd64) kubernetes/$Format" 'https://<reducted>.eks.amazonaws.com/version?timeout=32s'
I0406 08:21:43.985227 3118 round_trippers.go:445] GET https://<reducted>.eks.amazonaws.com/version?timeout=32s 401 Unauthorized in 264 milliseconds
I0406 08:21:43.985849 3118 round_trippers.go:451] Response Headers:
I0406 08:21:43.986606 3118 round_trippers.go:454] Cache-Control: no-cache, private
I0406 08:21:43.987170 3118 round_trippers.go:454] Content-Type: application/json
I0406 08:21:43.987712 3118 round_trippers.go:454] Content-Length: 129
I0406 08:21:43.988168 3118 round_trippers.go:454] Date: Tue, 06 Apr 2021 08:21:44 GMT
I0406 08:21:43.988733 3118 request.go:1107] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
Error: Kubernetes cluster unreachable: the server has asked for the client to provide credentials
