Topic 1 Question 239
A company uses an Amazon Elastic Kubernetes Service (Amazon EKS) cluster to deploy its web applications on containers. The web applications contain confidential data that cannot be decrypted without specific credentials.
A DevOps engineer has stored the credentials in AWS Secrets Manager. The secrets are encrypted by an AWS Key Management Service (AWS KMS) customer managed key. A Kubernetes service account for a third-party tool makes the secrets available to the applications. The service account assumes an IAM role that the company created to access the secrets.
The service account receives an Access Denied (403 Forbidden) error while trying to retrieve the secrets from Secrets Manager.
What is the root cause of this issue?
The IAM role that is attached to the EKS cluster does not have access to retrieve the secrets from Secrets Manager.
The key policy for the customer managed key does not allow the Kubernetes service account IAM role to use the key.
The key policy for the customer managed key does not allow the EKS cluster IAM role to use the key.
The IAM role that is assumed by the Kubernetes service account does not have permission to access the EKS cluster.
ユーザの投票
コメント(4)
- 正解だと思う選択肢: B
The IAM role assumed by the Kubernetes service account, not the EKS cluster IAM role => C is wrong
👍 3trungtd2024/07/14 ---> B
👍 3tgv2024/07/15- 正解だと思う選択肢: B
When a service account in Amazon EKS tries to access secrets in AWS Secrets Manager, it does so by assuming an IAM role. The permissions required to access these secrets include:
- Secrets Manager permissions: The IAM role must have the necessary permissions to retrieve the secrets from AWS Secrets Manager.
- KMS key permissions: The IAM role must also have permissions to use the AWS KMS key that encrypts the secrets.
👍 2jamesf2024/07/30
シャッフルモード