@shinyaz

EKS Pod Identity session policy AccessDenied errors clearly state the cause

1 min read
#aws#eks#iam#pod-identity

While testing EKS Pod Identity session policies, I was surprised by how helpful the error messages are.

IAM AccessDenied errors are notoriously vague, but session policy denials explicitly state the cause:

Output (session policy is the cause)
s3:CreateBucket on resource: "arn:aws:s3:::xxx"
because no session policy allows the s3:CreateBucket action
Output (IAM role itself is the cause)
ec2:DescribeInstances
because no identity-based policy allows the ec2:DescribeInstances action

no session policy allows means you need to add the action to the session policy. no identity-based policy allows means the IAM role's own policy needs updating. Knowing which one to fix at a glance is a huge win for operations.

Share this post

Shinya Tahara

Shinya Tahara

Solutions Architect @ AWS

I'm a Solutions Architect at AWS, providing technical guidance primarily to financial industry customers. I share learnings about cloud architecture and AI/ML on this site.The views and opinions expressed on this site are my own and do not represent the official positions of my employer.

Read more