External-dns: Cross account access on AWS

Created on 19 Jul 2019  路  2Comments  路  Source: kubernetes-sigs/external-dns

I want to access the hosted zone in another account on AWS.

The account that manages the hosted zone is A (111111111111), and the account that EKS is running is B (222222222222).

As a result, the external-dns Pod outputs the following log and it will be CrashLoopBackOff status.

time="2019-07-19T07:51:33Z" level=fatal msg="SharedConfigAssumeRoleError: failed to load assume role for arn:aws:iam::111111111111:role/external-dns-role, source profile has no shared credentials"

The following roles are set in account A:

  • Role Name

    • external-dns-role

  • Trust Relationship:
    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::222222222222:root" }, "Action": "sts:AssumeRole", "Condition": {} } ] }
  • Policy
    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "route53:ChangeResourceRecordSets" ], "Resource": [ "arn:aws:route53:::hostedzone/*" ] }, { "Effect": "Allow", "Action": [ "route53:ListHostedZones", "route53:ListResourceRecordSets" ], "Resource": [ "*" ] } ] }

The node that runs external-dns on account B has attached the following policy:

  • AmazonEC2RoleforSSM
  • AmazonEKSWorkerNodePolicy
  • AmazonEC2ContainerRegistryReadOnly
  • AmazonEKS_CNI_Policy
  • external-dns
    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111111111111:role/external-dns-role" } ] }

The external-dns is installed using Terraform's Helm resource as follows:

resource "helm_release" "external_dns" {
  name      = "external-dns"
  chart     = "stable/external-dns"
  namespace = "kube-system"
  timeout   = 60

  set {
    name = "image.pullPolicy"
    value = "Always"
  }

  set {
    name  = "provider"
    value = "aws"
  }

  set {
    name  = "policy"
    value = "upsert-only"
  }

  set {
    name  = "rbac.create"
    value = "true"
  }

  set {
    name = "aws.assumeRoleArn"
    value = "arn:aws:iam::111111111111:role/external-dns-role"
  }

Is there anything missing?

picture Kazylla

Most helpful comment

@Kazylla inplace of aws.assumeRoleArn can you try

set {
   name = "extraArgs.aws-assume-role"
  value = "arn:aws:iam::{{ env "AWS_ACCOUNT_ID" }}:role/external-dns"
}

Although I doubt you would be able to manage hosted zone in both A and B using same external-dns instance but if your target is only A it should be ok

picture rverma-nikiai on 22 Jul 2019
👍21 😄1

All 2 comments

@Kazylla inplace of aws.assumeRoleArn can you try

set {
   name = "extraArgs.aws-assume-role"
  value = "arn:aws:iam::{{ env "AWS_ACCOUNT_ID" }}:role/external-dns"
}

Although I doubt you would be able to manage hosted zone in both A and B using same external-dns instance but if your target is only A it should be ok

rverma-nikiai picture rverma-nikiai on 22 Jul 2019
👍21 😄1

@rverma-nikiai It works fine. Thanks!

Kazylla picture Kazylla on 23 Jul 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Gnnng picture Gnnng  路  3Comments
amalucelli picture amalucelli  路  4Comments
dryewo picture dryewo  路  3Comments
ysoldak picture ysoldak  路  3Comments
bzon picture bzon  路  3Comments