AWS EKS - Auth error or Forbidden access

If you're trying to deploy Kubernetes on AWS EKS and encountering authentication errors like these:

Error from server (Forbidden): error when retrieving current configuration of:
Resource: "/v1, Resource=secrets", GroupVersionKind: "/v1, Kind=Secret"
Name: "YOUR_SECRET_NAME", Namespace: "YOUR_NAMESPACE_NAME"
from server for: "STDIN": secrets "YOUR_SECRET_NAME" is forbidden: User "arn:aws:iam::***:user/YOUR_IAM_AWS_USERNAME" cannot get resource "secrets" in API group "" in the namespace "YOUR_NAMESPACE_NAME"

or

error: error validating "deployment.yaml": error validating data: failed to download openapi: the server has asked for the client to provide credentials; if you choose to ignore these errors, turn validation off with --validate=false

You need to configure the policies correctly. To do this, go to the AWS Console and search for IAM. Select the user you are using to deploy, then go to Add permission » Create inline policy. On the next page, click on JSON, delete everything, and paste the policy below:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecr:GetAuthorizationToken",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "ecr:PutImage",
        "ecr:InitiateLayerUpload",
        "ecr:UploadLayerPart",
        "ecr:CompleteLayerUpload"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "eks:DescribeCluster",
        "eks:ListClusters",
        "eks:DescribeNodegroup",
        "eks:DescribeFargateProfile",
        "ec2:DescribeSubnets",
        "ec2:DescribeRouteTables",
        "ec2:DescribeSecurityGroups"
      ],
      "Resource": "*"
    }
  ]
}

The first block allows ECR access, the second grants access to Secrets Manager, and the last one covers EKS. If you don't need some of them, feel free to remove.

Click Next, give the policy a name, e.g., GitHubActionsDeploy, and then click Save changes.

That's it! With this policy, you will grant only the necessary permissions to deploy a pod on EKS.

Comments

[drcloudycoder]

I am not sure I understand the solution here.

How does allowing access to AWS Secrets Manager secret in IAM permission resolve the 1st error you showed? That error message refers to the Kubernetes secret which is different than AWS Secrets Manager secret.

Further, the EKS policies shown in your example are all List or Describe (i.e. read only). How do they allow one to deploy a pod on EKS?

Shouldn't the solution to errors shown include something to do with Kubernetes roles and permissions?

[Gustavo Lima]

I encountered this problem when deploying on EKS with Secret Manager secrets using GitHub Actions. I tried many solutions, but nothing seemed to work.

I'm not an expert, but I tested several policies, and the only ones that helped were these.

Yes, I had to add mapUsers in kubectl edit -n kube-system configmap/aws-auth.

  mapUsers: |
    - userarn: arn:aws:iam::***:user/github-actions
      username: github-actions
      groups:
        - system:masters

[drcloudycoder]

There you go, this is the main missing piece that makes sense of the problem and the title of your post. I suggest adding it to your main article. Thanks for sharing, cheers!