При использовании ExternalDNS для управления записями в AWS Route53 начали появляться ошибки вида
external-dns-6f858fdd6c-7xdhs external-dns time="2021-08-04T06:52:56Z" level=error msg="records retrieval failed: failed to list hosted zones: AccessDenied: User: arn:aws:sts::0000000:assumed-role/demo-external-dns2000000/000000 is not authorized to perform: route53:ListHostedZones\n\tstatus code: 403, request id: 000-f2b2-666-777-999"
external-dns-6f858fdd6c-h4fxb external-dns time="2021-08-04T06:52:58Z" level=error msg="records retrieval failed: failed to list hosted zones: AccessDenied: User: arn:aws:sts::000000000:assumed-role/demo-external-dns000000000/000000000 is not authorized to perform: route53:ListHostedZones\n\tstatus code: 403, request id: 00000-d1a4-777-873e-000000"
Им предшествовало указание arn для ресурсов в policy для ExternalDNS
Поэтому необходимо указывать только как сказано в документации https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#iam-policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/*"
]
},
{
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"route53:ListResourceRecordSets"
],
"Resource": [
"*"
]
}
]
}
Be First to Comment