-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to find zones with cross-account role using kube2iam #475
Comments
Same issue in my side. @ryan-dyer-sp did you solve the problem? My scenario: |
@mariomerco No luck on figuring anything out either. Would love for someone working on this project to chime in. If you figure anything out, please reach out as I am at a loss. |
@ryan-dyer-sp I solved the problem! |
@mariomerco Sorry but that doesnt sound like my issue. My nodes(in account A) have an assume role permission. In account B, I have my role for route53 manipulation and have added a trust to the role in account A. In my external-dns config I have an annotation for the role in account B. Within the external-dns container I can successfully run the commands to view the route53 zones via aws-cli, but the application itself cant seem to obtain a valid credential. If this does sound the same, then I'm not sure what I'm missing from what you said. |
Hi just a follow-up from our side. We're currently working on a solution. |
Our environment is such that we have multiple AWS accounts with a kube cluster in each account. Each account/cluster has an associated hosted zone; however, these zones exist in a separate single account. ie the zone for accounts 1-3 exist in account 4.
I have been attempting to use external-dns and kube2iam to solve this problem. I am able to successfully install and configure kube2iam on my cluster such that when I kubectl exec into the external-dns pod, I can run aws route53 list-hosted-zones (after install aws-cli) and retrieve the hosted zones from the dns mgmt account without any configuration. Curling for meta-data/iam/security-credentials/ properly shows the cross account role. However when external-dns starts it gets the following:
Please let me know what additional info I can provide to help troubleshoot.
The text was updated successfully, but these errors were encountered: