CDK eks cluster service account

[marcindruzgala]

Hello,

I have following situation:

• eks cluster created outside of my CDK deployment
• my own CDK deployment where I get the already existing eks cluster and try to add service accounts to it

var openIdConnectProvider = OpenIdConnectProvider.FromOpenIdConnectProviderArn(this, "oidc-provider-eks", "oidcArn");

var cluster = Cluster.FromClusterAttributes(this, "eks-cluster", new ClusterAttributes
{
    ClusterName = "name",
    Vpc = clusterVpc, // resolved before
    OpenIdConnectProvider = openIdConnectProvider,
    KubectlRoleArn = "arn:aws:iam::xxxx:role/cdk-hnb659fds-cfn-exec-role-xxxxx-eu-west-1",
});

Where arn:aws:iam::xxxx:role/cdk-hnb659fds-cfn-exec-role-xxxxx-eu-west-1 is a arn of a role cdk created when I bootstrapped cdk on this account.

I even manually created iam identity mappings so that this role has system:masters permission in the aws config map following these docs: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html.

This is the error I'm getting:

9:28:07 PM | CREATE_FAILED        | Custom::AWSCDK-EKS-KubernetesResource | eksclusterservicea...ntResource2733A556
Received response status [FAILED] from custom resource. 
Message returned: Error: b'\nAn error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::xxxx:assumed-role/eks-cluster-stack-eksclus-HandlerServiceRoleFCDC14-CVQIS4K8PL3C/eks-cluster-stack-eksclusterstacke-Handler886CB40B-BXJQBA2mYW6b is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxx:role/cdk-hnb659fds-cfn-exec-role-xxxx-eu-west-1\n
Unable to connect to the server: getting credentials: exec: executable aws failed with exit code 255\n'

If I try to change the KubectlRoleArn to the role that was created when eks cluster was created the error is very similar but instead it is unable to assume that role instead of the cdk's one.

Any ideas how to proceed with this one?

[pahud]

I believe you should not use arn:aws:iam::xxxx:role/cdk-hnb* as the KubectlRoleArn. Instead, you should use the role when the cluster was created with system:masters in the cluster config map. Under the covers, the kubectl provider as a lambda function will assume this role to execute kubectl against the cluster and you need to make sure your deploying account/role is allowed to assume that role.