aws ebs 报无权限错误
aws eks 创建ebs的pvc时报以下错误:
Warning ProvisioningFailed 9m28s ebs.csi.aws.com_ebs-csi-controller-79d7954f96-thd4s_9a0470ef-ef71-4c55-8a8c-2be08fdc17d9 failed to provision volume with StorageClass "gp2": rpc error: code = Internal desc = Could not create volume "pvc-d0e1df78-28ce-464b-b7ea-da017a656393": could not create volume in EC2: WebIdentityErr: failed to retrieve credentials
caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity
status code: 403, request id: 6e315969-831c-46d5-87fa-c2c635af7a4b
Normal Provisioning 2m37s (x11 over 11m) ebs.csi.aws.com_ebs-csi-controller-79d7954f96-thd4s_9a0470ef-ef71-4c55-8a8c-2be08fdc17d9 External provisioner is provisioning volume for claim "cattle-monitoring-system/prometheus-rancher-monitoring-prometheus-db-prometheus-rancher-monitoring-prometheus-0"
Warning ProvisioningFailed 2m37s (x2 over 7m37s) ebs.csi.aws.com_ebs-csi-controller-79d7954f96-thd4s_9a0470ef-ef71-4c55-8a8c-2be08fdc17d9 (combined from similar events): failed to provision volume with StorageClass "gp2": rpc error: code = Internal desc = Could not create volume "pvc-d0e1df78-28ce-464b-b7ea-da017a656393": could not create volume in EC2: WebIdentityErr: failed to retrieve credentials
caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity
status code: 403, request id: 919f64b1-528c-4720-b6b5-3a711875335f
Normal ExternalProvisioning 99s (x43 over 11m) persistentvolume-controller waiting for a volume to be created, either by external provisioner "ebs.csi.aws.com" or manually created by system administrator
https://github.com/kubernetes-sigs/aws-ebs-csi-driver/issues/748
https://github.com/kubernetes-sigs/aws-ebs-csi-driver/issues/1033
角色权限问题:
ebs插件的iam角色要有以下权限:
https://docs.aws.amazon.com/eks/latest/userguide/csi-iam-role.html
| AmazonEBSCSIDriverPolicy | AWS 托管 |
|
|
|
eks-pre2里的权限策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteSnapshot",
"ec2:DeleteTags",
"ec2:DeleteVolume",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications",
"ec2:DetachVolume",
"ec2:ModifyVolume"
],
"Resource": "*"
}
]
}
最后,重启插件:
kubectl -n kube-system rollout restart deploy/ebs-csi-controller
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· TypeScript + Deepseek 打造卜卦网站:技术与玄学的结合
· 阿里巴巴 QwQ-32B真的超越了 DeepSeek R-1吗?
· 【译】Visual Studio 中新的强大生产力特性
· 10年+ .NET Coder 心语 ── 封装的思维:从隐藏、稳定开始理解其本质意义
· 【设计模式】告别冗长if-else语句:使用策略模式优化代码结构