无法使用外部 DNS 在 Route53 中创建记录,出现以下错误
无法同步 *v1.Service:超出上下文截止日期
time="2023-08-02T13:07:48Z" level=fatal msg="records retrieval failed: failed to list hosted zones: AccessDenied: User: arn:aws:sts::602867777777:assumed-role/scm-main-demo-eks-nodes/i-0e5e31a1cd641fcf3 is not authorized to perform: route53:ListHostedZones because no identity-based policy allows the route53:ListHostedZones action\n\tstatus code: 403, request id: 1d737c73-8d6a-49ce-8590-e819058e70ed"
用户
arn:aws:sts::602867777777:assumed-role/scm-main-demo-eks-nodes/i-0e5e31a1cd641fcf3
不是我想使用的,但不确定它来自哪里。
问题已通过以下策略解决,请在您的 IAM externalDNS 策略中添加最后一个 SID 权限块
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = [
"route53:GetHostedZone",
"route53:ListResourceRecordSets",
"route53:ListHostedZones",
"route53:ChangeResourceRecordSets",
"route53:GetHostedZoneCount",
"route53:ListHostedZonesByName"
]
Resource = "arn:aws:route53:::hostedzone/*"
},
{
Effect = "Allow"
Action = [
"eks:DescribeCluster"
]
Resource = "*"
},
{
"Sid": "Route53ListHostedZones",
"Effect": "Allow",
"Action": "route53:ListHostedZones",
"Resource": "*"
}