Assuming roles from cronjobs?

Hello the community!

We have a cronjob running on Qovery. This cronjob assumes a role using the AWS SDK, to apply the least access privilege. However, when trying to assume the role, we are facing the following error:

AccessDenied: User: arn:aws:sts::[ACCOUNT_ID]:assumed-role/qovery-eks-workers-[CLUSTER]/i-[ID] is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::[ACCOUNT_ID]:role/[ROLE_NAME]

Debugging it with the AWS support, we are missing a policy on the Qovery workers role (qovery-eks-workers-[CLUSTER]):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["sts:AssumeRole"],
            "Resource": "*"
        }
    ]
}

Is there a way to customize the policies when creating the cluster? We’d like to Terraform this policy change to ease the deployment of new clusters, but it doesn’t seem doable as of today, or is it?

Thanks for the help!

Hello @jpetitcolas,

Digging into it, here’s what we have by default on our end (engine/lib/aws/bootstrap/eks-workers-iam.tf at main · Qovery/engine · GitHub)

resource "aws_iam_role" "eks_workers" {
  name = "qovery-eks-workers-${var.kubernetes_cluster_id}"

  tags = local.tags_eks

  assume_role_policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
POLICY
}

Do you require more than that? If so, would an advanced setting works eventually as we try not to be too spread in permissions?

Cheers

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.