If you're trying to deploy Kubernetes on AWS EKS and encountering authentication errors like these:
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "/v1, Resource=secrets", GroupVersionKind: "/v1, Kind=Secret"
Name: "YOUR_SECRET_NAME", Namespace: "YOUR_NAMESPACE_NAME"
from server for: "STDIN": secrets "YOUR_SECRET_NAME" is forbidden: User "arn:aws:iam::***:user/YOUR_IAM_AWS_USERNAME" cannot get resource "secrets" in API group "" in the namespace "YOUR_NAMESPACE_NAME"
or
error: error validating "deployment.yaml": error validating data: failed to download openapi: the server has asked for the client to provide credentials; if you choose to ignore these errors, turn validation off with --validate=false
You need to configure the policies correctly. To do this, go to the AWS Console and search for IAM. Select the user you are using to deploy, then go to Add permission » Create inline policy. On the next page, click on JSON, delete everything, and paste the policy below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"eks:DescribeCluster",
"eks:ListClusters",
"eks:DescribeNodegroup",
"eks:DescribeFargateProfile",
"ec2:DescribeSubnets",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
}
]
}
The first block allows ECR access, the second grants access to Secrets Manager, and the last one covers EKS. If you don't need some of them, feel free to remove.
Click Next, give the policy a name, e.g., GitHubActionsDeploy, and then click Save changes.
That's it! With this policy, you will grant only the necessary permissions to deploy a pod on EKS.