AWS eks documentation change
Summary
Updated example commands and added sts:TagSession permission requirement
Security assessment
Formatting improvements to examples and permission updates to match changes in other files. No security vulnerabilities addressed.
Diff
diff --git a/eks/latest/userguide/ack-troubleshooting.md b/eks/latest/userguide/ack-troubleshooting.md index da25c901d..a59bd8fcb 100644 --- a//eks/latest/userguide/ack-troubleshooting.md +++ b//eks/latest/userguide/ack-troubleshooting.md @@ -84,2 +84,2 @@ You can view capability health and status issues in the EKS console or using the - aws iam list-attached-role-policies --role-name <replaceable>my-ack-capability-role</replaceable> - aws iam list-role-policies --role-name <replaceable>my-ack-capability-role</replaceable> + aws iam list-attached-role-policies --role-name my-ack-capability-role + aws iam list-role-policies --role-name my-ack-capability-role @@ -88 +88,2 @@ You can view capability health and status issues in the EKS console or using the - aws iam get-role-policy --role-name <replaceable>my-ack-capability-role</replaceable> --policy-name <replaceable>policy-name</replaceable> + aws iam get-role-policy --role-name my-ack-capability-role --policy-name policy-name + @@ -114 +115 @@ If resources aren’t being created in a target AWS account when using IAM Role - aws iam get-role --role-name <replaceable>cross-account-ack-role</replaceable> --query 'Role.AssumeRolePolicyDocument' + aws iam get-role --role-name cross-account-ack-role --query 'Role.AssumeRolePolicyDocument' @@ -133 +134 @@ IAMRoleSelectors are cluster-scoped resources but target specific namespaces. En - kubectl get bucket <replaceable>my-cross-account-bucket</replaceable> -n <replaceable>production</replaceable> + kubectl get bucket my-cross-account-bucket -n production @@ -139 +140 @@ IAMRoleSelectors are cluster-scoped resources but target specific namespaces. En - kubectl get iamroleselector <replaceable>my-selector</replaceable> -o jsonpath='{.spec.namespaceSelector}' + kubectl get iamroleselector my-selector -o jsonpath='{.spec.namespaceSelector}' @@ -147 +148 @@ Verify that the IAMRoleSelector was successfully matched to your resource by che - kubectl get bucket <replaceable>my-cross-account-bucket</replaceable> -n <replaceable>production</replaceable> -o jsonpath='{.status.conditions[?(@.type=="ACK.IAMRoleSelected")]}' + kubectl get bucket my-cross-account-bucket -n production -o jsonpath='{.status.conditions[?(@.type=="ACK.IAMRoleSelected")]}' @@ -153 +154 @@ If the condition is `False` or missing, the IAMRoleSelector’s namespace select -The Capability Role needs `sts:AssumeRole` permission for the target account role: +The Capability Role needs `sts:AssumeRole` and `sts:TagSession` permissions for the target account role: @@ -161 +162 @@ The Capability Role needs `sts:AssumeRole` permission for the target account rol - "Action": "sts:AssumeRole", + "Action": ["sts:AssumeRole", "sts:TagSession"],