配置参考:
https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
排查思路
kubectl get sa sa-name -o yaml
查看 eks.amazonaws.com/role-arn
kubectl describe pod podname
查看ENV
AWS_STS_REGIONAL_ENDPOINTS: regional
AWS_DEFAULT_REGION: us-east-1
AWS_REGION: us-east-1
AWS_ROLE_ARN: arn:aws:iam::xxxx:role/xxxx
AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
pod里安装aws cli测试
执行
aws sts get-caller-identity
{
"Account": "123456789012",
"UserId": "AR1234567890123456",
"Arn": "arn:aws:iam::123456789012:user/username"
}