Error details : I am going though below error, please provide me

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

error instantiating route53 challenge solver: unable to assume role: AccessDenied: User: arn:aws:sts::xxxxx:assumed-role/cert-manager/xxxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::9xxxxx:role/cert-manager about cert-manager HOT 5 CLOSED

eravindar12 commented on July 23, 2024 1

error instantiating route53 challenge solver: unable to assume role: AccessDenied: User: arn:aws:sts::xxxxx:assumed-role/cert-manager/xxxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::9xxxxx:role/cert-manager

from cert-manager.

Comments (5)

eravindar12 commented on July 23, 2024 1

I've resolved the error by adjusting the trust relationships in the IAM. As a result, the access denied issue has been successfully addressed. However now i am getting below error.

e.g.,

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::xxxx:oidc-provider/oidc.eks.xxx-1.amazonaws.com/id/xxxxx"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "oidc.eks.xxxx.amazonaws.com/id/xxxx:sub": "system:serviceaccount:cert-manager:cert-manager"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxx:role/cert-manager"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

E0325 18:58:02.592653 1 sync.go:190] "propagation check failed" err="NS ns-512.awsdns-00.net.:53 returned REFUSED for _acme-challenge.stage-keycloak.xxx.xxx.com." logger="cert-manager.challenges" resource_name="stage-keycloak.tage-keycloak.xxx.xxx-1647614373" resource_namespace="keycloak" resource_kind="Challenge" resource_version="v1" dnsName="stage-keycloak.xxxl.xxx.com" type="DNS-01"

from cert-manager.

eravindar12 commented on July 23, 2024

The logs from the certificate manager display the following error stack traces

E0325 02:12:23.998103 1 sync.go:126] "Failed to determine the list of Challenge resources needed for the Order" err="no configured challenge solvers can be used for this challenge" logger="cert-manager.orders" resource_name="stage-keycloak.xxxx.xxxx-2242030729" resource_namespace="keycloak" resource_kind="Order" resource_version="v1"
E0325 02:12:24.035530 1 sync.go:126] "Failed to determine the list of Challenge resources needed for the Order" err="no configured challenge solvers can be used for this challenge" logger="cert-manager.orders" resource_name="stage-stage-keycloak.xxxx.xxxx-2242030729" resource_namespace="keycloak" resource_kind="Order" resource_version="v1"
E0325 02:12:24.036247 1 controller.go:167] "re-queuing item due to error processing" err=<
error instantiating route53 challenge solver: unable to assume role: AccessDenied: User: arn:aws:sts::9xxxx2:assumed-role/cert-manager/1711332743998839274 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::9xxxxx2:role/cert-manager
status code: 403, request id: f60496bf-f21d-415e-9d8f-bee17dd2fd01

from cert-manager.

leganck commented on July 23, 2024

The name of the service account for the 'cert-manager' installed by Helm is 'cert-manager-controller'. You need to change the binding service account to 'cert-manager-controller'

from cert-manager.

eravindar12 commented on July 23, 2024

@leganck - I've noticed that the service account name defaults to 'cert-manager,' but would you recommend changing it to 'cert-manager-controller' in this context?

JFYR,

❯ k get sa -n cert-manager
NAME                      SECRETS   AGE
aws-privateca-issuer-sa   0         20d
cert-manager              0         12h
cert-manager-cainjector   0         12h
cert-manager-webhook      0         12h
default                   0         20d
❯ k get sa -n cert-manager cert-manager -o yaml
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::9xxxxx2:**role/cert-manager**
    meta.helm.sh/release-name: cert-manager
    meta.helm.sh/release-namespace: cert-manager
  creationTimestamp: "2024-03-25T00:41:24Z"
  labels:
    app: cert-manager
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/version: v1.14.4
    helm.sh/chart: cert-manager-v1.14.4
    helm.toolkit.fluxcd.io/name: cert-manager
    helm.toolkit.fluxcd.io/namespace: cert-manager
   name: cert-manager
  namespace: cert-manager
  resourceVersion: "15982674"
  uid: d0e4c9fb-1e64-43c2-8002-f0d488e63157

❯ k get deploy -n cert-manager cert-manager -o yaml | grep -i service
      enableServiceLinks: false
      serviceAccount: cert-manager
      serviceAccountName: cert-manager

from cert-manager.

inteon commented on July 23, 2024

Good to see you are making progress.
I'll close this issue and we can continue in #6874.

from cert-manager.

error instantiating route53 challenge solver: unable to assume role: AccessDenied: User: arn:aws:sts::xxxxx:assumed-role/cert-manager/xxxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::9xxxxx:role/cert-manager about cert-manager HOT 5 CLOSED

Comments (5)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent