Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you may not be able to execute some actions.

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

Does the AWS Admin user have the eks:AccessKubernetesApi permission?

A
Amritpal last edited by

I am logged in to AWS as the AWS Admin, with Administrator access.

How do I find out if this user has the eks:AccessKubernetesApi IAM permission?
Reply Quote 0
1 Reply Last reply
G
guilherme last edited by
There are a few ways to perform the action you're looking for. I'll demonstrate how to accomplish this task from the command line and the console. Using the SDK's (e.g. boto3) are an option too.

From the command line you can use:
```
aws iam simulate-principal-policy --policy-source-arn  --action-names eks:AccessKubernetesApi --query 'EvaluationResults[].EvalDecision'
```
It will return the following if you have access :

[ "allowed" ]

From the console use the https://policysim.aws.amazon.com/
Pick the Role/User/Group that you wish to test:

Then choose the service:

And the action(s):

Click Run Simulation and the results will be published:

References
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/simulate-principal-policy.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html
Reply Quote 0
1 Reply Last reply

2
Posts

0
Views

Suggested Topics

R

AWS: Fargate charging model
Continuous Integration and Delivery (CI, CD) • amazon web services amazon ecs • • Rossere

2

0
Votes

2
Posts

1
Views

Orchestration Timers Regardless of the internal implementation, there is most likely an orchestrator that starts and stops a timer based on particular signals or events within the Fargate service. Basically, the charges are from when the pull command are executed until an orchestration process issues or receives the termination command/signal for your process. Conceptually, think of it as similar to wrapping a shell script in time { :; }. Again conceptually, you might think of the way it charges as the following pseudocode: cpu_charges = $num_cpus * cpu_rate_per_second mem_charges = $mem_size * mem_rate_per_second charge_rate = cpu_charges + mem_charges elapsed_time = time () { docker pull foo_image docker run --cpus $num_cpus -m $mem_size -it --rm foo_image } bill_for elapsed_time * charge_rate I am not currently aware of any public documentation that exposes the real mechanics of how this is internally implemented by AWS, but this is likely accurate enough for most practical purposes.
K

AWS Cloudformation: Callback only for CREATE_COMPLETE or CREATE_FAILED of entire stack
Continuous Integration and Delivery (CI, CD) • amazon web services aws cloudformation • • Kadyn

2

0
Votes

2
Posts

1
Views

S

I believe, alternatively, you could use CloudTrail+CloudWatch rules, but then you will get CREATE_STACK events for all stacks Here is some information about that: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-api-logging-cloudtrail.html https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/EventTypes.html And, of course, there's the option to put a lambda which listens on the notification topic and filters the needed events before sending the email.
O

is it possible to connect an AWS autoscaling group with an application load balancer?
Continuous Integration and Delivery (CI, CD) • amazon web services • • obi

2

0
Votes

2
Posts

1
Views

R

Your CloudFormation template currently has the following resources: A Launch Configuration An Auto Scaling Group A Load Balancer Follow these steps in sequence to attach the auto scaling group to the load balancer: Add a listener resource to your CloudFormation template, as described here. Set its LoadBalancerArn property to the load balancer's ARN. Add a target group resource to your CloudFormation template, as described here. Add a "listener rule" resource to your CloudFormation template, as described here. Set its ListenerArn property to the listener's ARN. In its Actions property, add a forward action & provide the target group's ARN like this: Actions: - Type: forward TargetGroupArn: !Ref MyTargetGroup Add the target group's ARN to the TargetGroupARNs property of the auto scaling group, as described here. If you prefer to visualize a chain of CloudFormation resources linking the load balancer to the auto scaling group, it'll look like this: Here's a complete example: LB to ASG Example.
A

Docker Compose on AWS
Continuous Integration and Delivery (CI, CD) • amazon web services continuous integration deployment amazon ec2 amazon ecs • • Amritpal

2

0
Votes

2
Posts

0
Views

T

This question risks being flagged as "too broad", and invites opinion-based answers. With that caveat out of the way I'll try to answer in an unbiased way. In these cases, it's best to go back to first principles and architect the application from scratch using the relevant AWS services. If you're deploying an application that is really just a few services that can be composed, you're probably best off using Fargate. In any case, I would not suggest using EC2 instances In terms of how to go about doing that: Create the VPC if you need it define security groups that will define what traffic is allowed set up the ECR repositories for the images in the application stack convert the services in the docker compose file to ECS task definitions decide how you will manage persistent data? If part of the application is redis, you might consider using an ElasticCache component in the stack. decide how you want to expose the services (ENI? Load balancer?) There is also the issue of IAM policies that would need to be attached to various entities, in order to read / write to ECR, etc. I would write this all as one or two Terraform modules. One for the network configuration (VPC, subnets) and one for the application itself (ECS cluster, Capacity providers, load balancers, ECR repositories, etc). This is a purely personal choice though, and you could just as well create a CloudFormation stack. Continuous deployment could indeed be done with Github Actions, if that's where you are storing the code which describes the app.
Z

Restrict user logon in Jenkins
Continuous Integration and Delivery (CI, CD) • security jenkins • • zymir

2

0
Votes

2
Posts

1
Views

S

If you're running this code today via script console, you're probably running into a RejectedAccessException from the sandbox which is why you require admin access to run this coupled with and or needing administrator access to use the script console. If you put this code into a shared library, the code becomes trusted, and you no longer require administrator access to run the code and you no longer need script console. You just need a job that can call the shared library, if needed you can restrict access to the folder or job.
G

Jenkins: Permission issue using Docker as build environment
Continuous Integration and Delivery (CI, CD) • docker jenkins jenkins pipeline • • guilherme

2

0
Votes

2
Posts

1
Views

C

I had the same issue with node. The thing is files in the container are owned by "root:root". Try adding docker args -u root:root: docker { image 'node:8' args '-u root:root' }
C

Terraform fails to modify DNS settings a recently created VPC Peering connection because it is not yet active
Continuous Integration and Delivery (CI, CD) • amazon web services terraform • • chanisef

2

0
Votes

2
Posts

1
Views

Figured it out! The problem is that those DNS settings set in aws_vpc_peering_connection_options cannot be set until the peering connection is active (approved). It was only depending on aws_vpc_peering_connection existing, therefore was running at the same time or before aws_vpc_peering_connection_accepter. This was simply fixed in aws_vpc_peering_connection_options by getting the vpc_peering_connection_id from aws_vpc_peering_connection_accepter instead of aws_vpc_peering_connection, so that the terraform dependency tree would automatically have the dependency work in the correct order. Before: resource "aws_vpc_peering_connection_options" "sb_vpc_peering_options" { vpc_peering_connection_id = aws_vpc_peering_connection.sb_vpc_peering.id accepter { allow_remote_vpc_dns_resolution = var.accepter_dns_resolution } requester { allow_remote_vpc_dns_resolution = var.requester_dns_resolution } } After: resource "aws_vpc_peering_connection_options" "sb_vpc_peering_options" { vpc_peering_connection_id = aws_vpc_peering_connection_accepter.sb_vpc_peering_accepter.id accepter { allow_remote_vpc_dns_resolution = var.accepter_dns_resolution } requester { allow_remote_vpc_dns_resolution = var.requester_dns_resolution } }
J

DC Jenkins server to AWS servers connection
Continuous Integration and Delivery (CI, CD) • vpn jenkins amazon web services • • Jolied

2

0
Votes

2
Posts

1
Views

G

Depending on your use-case, you should look either: Establishing a persistent VPN connection to the AWS VPC using the Site-To-Site VPN as described here: https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html Using an OpenVPN client via the build jobs using the client VPN service as described here https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/what-is.html
S

What is the AWS user permission that allows attaching and detaching IAM Roles to instances?
Continuous Integration and Delivery (CI, CD) • amazon ec2 aws iam • • Saumya

2

0
Votes

2
Posts

1
Views

A

From Granting a User Permissions to Pass a Role to an AWS Service: To pass a role (and its permissions) to an AWS service, a user must have permissions to pass the role to the service. This helps administrators ensure that only approved users can configure a service with a role that grants permissions. To allow a user to pass a role to an AWS service, you must grant the PassRole permission to the user's IAM user, role, or group. When a user passes a role ARN as a parameter to any API that uses the role to assign permissions to the service, the service checks whether that user has the iam:PassRole permission. To limit the user to passing only approved roles, you can filter the iam:PassRole permission with the Resources element of the IAM policy statement. Is this what you're looking for? An example from the above-metioned page: Example 1 Imagine that you want to grant a user the ability to pass any of an approved set of roles to the Amazon EC2 service upon launching an instance. You need three elements: An IAM permissions policy attached to the role that determines what the role can do. Scope permissions to only the actions that the role needs to perform, and to only the resources that the role needs for those actions. You can use AWS managed or customer-created IAM permissions policy. { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "A list of the permissions the role is allowed to use" ], "Resource": [ "A list of the resources the role is allowed to access" ] } } A trust policy for the role that allows the service to assume the role. For example, you could attach the following trust policy to the role with the UpdateAssumeRolePolicy action. This trust policy allows Amazon EC2 to use the role and the permissions attached to the role. { "Version": "2012-10-17", "Statement": { "Sid": "TrustPolicyStatementThatAllowsEC2ServiceToAssumeTheAttachedRole", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } } An IAM permissions policy attached to the IAM user that allows the user to pass only those policies that are approved. iam:PassRole usually is accompanied by iam:GetRole so that the user can get the details of the role to be passed. In this example, the user can pass only roles that exist in the specified account with names that begin with EC2-roles-for-XYZ-: { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "iam:GetRole", "iam:PassRole" ], "Resource": "arn:aws:iam::<account-id>:role/EC2-roles-for-XYZ-*" }] } Now the user can start an Amazon EC2 instance with an assigned role. Applications running on the instance can access temporary credentials for the role through the instance profile metadata. The permission policies attached to the role determine what the instance can do. The procedure(s) to attach a policy to a user/role (inlining it might work as well) are described in Attaching and Detaching IAM Policies: To attach a managed policy (console) Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/. In the navigation pane, choose Policies. In the list of policies, select the check box next to the name of the policy to attach. You can use the Filter menu and the search box to filter the list of policies. Choose Policy actions, and then choose Attach. Select one or more identities to attach the policy to. You can use the Filter menu and the search box to filter the list of principal entities. After selecting the identities, choose Attach policy. ... To embed an inline policy for a user or role (console) Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/. In the navigation pane, choose Users or Roles. In the list, choose the name of the user or role to embed a policy in. Choose the Permissions tab. Scroll to the bottom of the page and choose Add inline policy. Note You cannot embed an inline policy in a service-linked role in IAM. Because the linked service defines whether you can modify the permissions of the role, you might be able to add additional policies from the service console, API, or AWS CLI. To view the service-linked role documentation for a service, see AWS Services That Work with IAM and choose Yes in the Service-Linked Role column for your service. Choose from the following methods to view the steps required to create your policy: Import an Existing Managed Policy – You can import a managed policy within your account and then edit the policy to customize it to your specific requirements. A managed policy can be an AWS managed policy or a customer managed policy that you created previously. Create a Policy with the Visual Editor – You can construct a new policy from scratch in the visual editor. If you use the visual editor, you do not have to understand JSON syntax. Create a Policy on the JSON Tab – In the JSON tab, you can use JSON syntax to create a policy. You can type a new JSON policy document or paste an example policy. After you create an inline policy, it is automatically embedded in your user or role.
F

Communication between VPCs and a transit VPC hosting VPN Server without Masking source IP
Continuous Integration and Delivery (CI, CD) • vpn amazon web services aws vpc • • fbio

2

0
Votes

2
Posts

1
Views

S

VPC peering does not support transit traffic. Unsupported VPC Peering Configurations described several scenarious that are not supported. This case is not specifically mentioned, but is implicit from the other limitations. Note also that it is impossible to fully configure the setup you are attempting, because when you route a given destination towards a remote VPC via a peering connection, there is no route table in the target VPC that is applicable to that traffic. Only the instance subnets are available. Route tables apply only to subnets, and the default route table only applies to subnets without an explicitly assigned route table -- not to incoming traffic from a peering connection. There is no way to route this traffic back to your instance. This is why Hardware VPN, Direct Connect, and NAT devices are not available across peering, A Transit VPC is not what you have described. These use AWS VPC Hardware VPN connections on the spokes and an EC2-based router at the hub to terminate the tunnels... and the transit routing between the tunnels is done within the instance -- not by the VPC network infrastructure.
K

Ansible dynamic inventory using AWS plugin -- how to obtain internal DNS records or private IP?
Continuous Integration and Delivery (CI, CD) • ansible amazon web services amazon ec2 configuration management ansible inventory • • Kadir

2

0
Votes

2
Posts

1
Views

The hostnames parameter controls what the plugin uses as the host name. It accepts a list of attributes, and will use the first one that the instance has defined: hostnames: - private-dns-name - private-ip-address You can also set the ansible_host variable using compose. This changes the connection target without modifying the inventory hostname: compose: # Note the underscores; this functionality uses the Ansible variable names instead of the raw AWS attributes. ansible_host: private_ip_address
A

AWS subnets for lambda synchronous invocations
Continuous Integration and Delivery (CI, CD) • aws lambda • • Anderson

2

0
Votes

2
Posts

1
Views

T

I don't entirely understand your use-case, but it sounds like you are trying to limit the number of Lambda invocations by restricting its IP range. There are two better ways to rate limit your application. Option one would be to use API Gateway request throttling: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-request-throttling.html Option two, Lambdas have a concurrency limit that can be set to achieve a similar behaviour to your approach: https://aws.amazon.com/about-aws/whats-new/2017/11/set-concurrency-limits-on-individual-aws-lambda-functions Hope that helps with your design!
C

AWS-CLI. S3
Software Programming • linux ubuntu amazon web services amazon s3 synchronization • • charlenef

2

0
Votes

2
Posts

0
Views

J

The answer was very simple and related to my neglect. Here. S3 There was one with a simple name among the files. . (one point). Ubuntu doesn't like that name, so it's a fight.
Y

Predictive autoscaling on K8s
Continuous Integration and Delivery (CI, CD) • kubernetes amazon web services gcp • • yajahira

2

0
Votes

2
Posts

1
Views

S

These are presumably proprietary tools for EC2 and GCE respectively. The need for predictive VM autoscaling is pretty strong for Virtual Machines since provisioning time can be measured in the 10's of minutes depending on the configuration. Conversely, application spin-up time in Kubernetes is typically measured in seconds. Predictive scaling for the Kubernetes HPA might have limited practical benefit. Now using cloud provider predictive autoscaling to scale out the VMs running a Kubernetes cluster based upon ML could be pretty interesting.
M

How to programmatically enable and disable SQS triggering AWS Lambda?
Continuous Integration and Delivery (CI, CD) • amazon web services aws lambda aws iam serverless amazon sqs • • meriah

2

0
Votes

2
Posts

1
Views

P

Call Lambda's UpdateEventSourceMapping API with the {"Enabled":true/false} request body. If, for some reason, you want your own API for this, you can create one in API Gateway as described below. Before you begin, you need the UUID of the event source mapping you wish to enable/disable. Use the AWS CLI to get this (it isn’t shown on the UI): aws lambda list-event-source-mappings --function-name my-func { "EventSourceMappings": [ { "UUID": "b962dcee-173c-47r1-9600-5c6d81catf85", "BatchSize": 1, "EventSourceArn": "arn:aws:sqs:us-east-1:123456789012:my-queue", "FunctionArn": "arn:aws:lambda:us-east-1:123456789012:function:my-func", "LastModified": 1595058588.141, "State": "Enabled", "StateTransitionReason": "USER_INITIATED" } ] } Next, either create a new API in API Gateway or add a resource & a GET method to your existing API. Configure it as shown below. The UUID you got above is highlighted below: The execution role shown above must allow API Gateway to invoke Lambda APIs. Scroll further down & provide this mapping template: Content-Type: application/json { "Enabled" : $input.params("Enabled") } Save & deploy to a stage. Now you can hit this API with the query param Enabled=true / Enabled=false to enable/disable your Lambda's SQS trigger. Here's a test done from the API Gateway console: For a detailed screenshot-guided walkthrough of this entire process, see my blog post.

Does the AWS Admin user have the eks:AccessKubernetesApi permission?

Suggested Topics

AWS: Fargate charging model Continuous Integration and Delivery (CI, CD) • amazon web services amazon ecs • • Rossere

AWS Cloudformation: Callback only for CREATE_COMPLETE or CREATE_FAILED of entire stack Continuous Integration and Delivery (CI, CD) • amazon web services aws cloudformation • • Kadyn

is it possible to connect an AWS autoscaling group with an application load balancer? Continuous Integration and Delivery (CI, CD) • amazon web services • • obi

Docker Compose on AWS Continuous Integration and Delivery (CI, CD) • amazon web services continuous integration deployment amazon ec2 amazon ecs • • Amritpal

Restrict user logon in Jenkins Continuous Integration and Delivery (CI, CD) • security jenkins • • zymir

Jenkins: Permission issue using Docker as build environment Continuous Integration and Delivery (CI, CD) • docker jenkins jenkins pipeline • • guilherme

Terraform fails to modify DNS settings a recently created VPC Peering connection because it is not yet active Continuous Integration and Delivery (CI, CD) • amazon web services terraform • • chanisef

DC Jenkins server to AWS servers connection Continuous Integration and Delivery (CI, CD) • vpn jenkins amazon web services • • Jolied

What is the AWS user permission that allows attaching and detaching IAM Roles to instances? Continuous Integration and Delivery (CI, CD) • amazon ec2 aws iam • • Saumya

Communication between VPCs and a transit VPC hosting VPN Server without Masking source IP Continuous Integration and Delivery (CI, CD) • vpn amazon web services aws vpc • • fbio

Ansible dynamic inventory using AWS plugin -- how to obtain internal DNS records or private IP? Continuous Integration and Delivery (CI, CD) • ansible amazon web services amazon ec2 configuration management ansible inventory • • Kadir

AWS subnets for lambda synchronous invocations Continuous Integration and Delivery (CI, CD) • aws lambda • • Anderson

AWS-CLI. S3 Software Programming • linux ubuntu amazon web services amazon s3 synchronization • • charlenef

Predictive autoscaling on K8s Continuous Integration and Delivery (CI, CD) • kubernetes amazon web services gcp • • yajahira

How to programmatically enable and disable SQS triggering AWS Lambda? Continuous Integration and Delivery (CI, CD) • amazon web services aws lambda aws iam serverless amazon sqs • • meriah

AWS: Fargate charging model
Continuous Integration and Delivery (CI, CD) • amazon web services amazon ecs • • Rossere

AWS Cloudformation: Callback only for CREATE_COMPLETE or CREATE_FAILED of entire stack
Continuous Integration and Delivery (CI, CD) • amazon web services aws cloudformation • • Kadyn

is it possible to connect an AWS autoscaling group with an application load balancer?
Continuous Integration and Delivery (CI, CD) • amazon web services • • obi

Docker Compose on AWS
Continuous Integration and Delivery (CI, CD) • amazon web services continuous integration deployment amazon ec2 amazon ecs • • Amritpal

Restrict user logon in Jenkins
Continuous Integration and Delivery (CI, CD) • security jenkins • • zymir

Jenkins: Permission issue using Docker as build environment
Continuous Integration and Delivery (CI, CD) • docker jenkins jenkins pipeline • • guilherme

Terraform fails to modify DNS settings a recently created VPC Peering connection because it is not yet active
Continuous Integration and Delivery (CI, CD) • amazon web services terraform • • chanisef

DC Jenkins server to AWS servers connection
Continuous Integration and Delivery (CI, CD) • vpn jenkins amazon web services • • Jolied

What is the AWS user permission that allows attaching and detaching IAM Roles to instances?
Continuous Integration and Delivery (CI, CD) • amazon ec2 aws iam • • Saumya

Communication between VPCs and a transit VPC hosting VPN Server without Masking source IP
Continuous Integration and Delivery (CI, CD) • vpn amazon web services aws vpc • • fbio

Ansible dynamic inventory using AWS plugin -- how to obtain internal DNS records or private IP?
Continuous Integration and Delivery (CI, CD) • ansible amazon web services amazon ec2 configuration management ansible inventory • • Kadir

AWS subnets for lambda synchronous invocations
Continuous Integration and Delivery (CI, CD) • aws lambda • • Anderson

AWS-CLI. S3
Software Programming • linux ubuntu amazon web services amazon s3 synchronization • • charlenef

Predictive autoscaling on K8s
Continuous Integration and Delivery (CI, CD) • kubernetes amazon web services gcp • • yajahira

How to programmatically enable and disable SQS triggering AWS Lambda?
Continuous Integration and Delivery (CI, CD) • amazon web services aws lambda aws iam serverless amazon sqs • • meriah