Which solution will resolve this error?
Configure the application account’s deployment IAM role to have a trust relationship with the centralized DevOps account. Configure the trust relationship to allow the sts:AssumeRole action. Configure the application account’s deployment IAM role to have the required access to the EKS cluster. Configure the EKS cluster aws-auth ConfigMap to map the role to the appropriate system permissions.
Configure the centralized DevOps account’s deployment IAM role to have a trust relationship with the application account. Configure the trust relationship to allow the sts:AssumeRole action. Configure the centralized DevOps account’s deployment IAM role to allow the required access to CodeBuild.
Configure the centralized DevOps account’s deployment IAM role to have a trust relationship with the application account. Configure the trust relationship to allow the sts:AssumeRoleWithSAML action. Configure the centralized DevOps account’s deployment IAM role to allow the required access to CodeBuild.
Configure the application account’s deployment IAM role to have a trust relationship with the AWS Control Tower management account. Configure the trust relationship to allow the sts:AssumeRole action. Configure the application account’s deployment IAM role to have the required access to the EKS cluster. Configure the EKS cluster aws-auth ConfigMap to map the role to the appropriate system permissions.
Explanations:
This option correctly addresses the cross-account access issue. By configuring the application account’s deployment IAM role to trust the centralized DevOps account and allowing thests:AssumeRoleaction, the CodeBuild project can assume this role. Additionally, granting the necessary permissions to access the EKS cluster and updating theaws-authConfigMap to map the role ensures that the deployment can connect to the EKS cluster successfully.
This option is incorrect because it suggests configuring the centralized DevOps account’s deployment IAM role to trust the application account. However, this does not address the need for CodeBuild in the DevOps account to assume a role in the application account for deploying to the EKS cluster. The deployment role in the application account must be able to trust the DevOps account instead.
This option is incorrect as it proposes the use ofsts:AssumeRoleWithSAML, which is not relevant in this context. The deployment from CodeBuild in the centralized DevOps account to the application account’s EKS cluster requiressts:AssumeRole, not SAML. Furthermore, the deployment IAM role needs to be set up correctly to facilitate access to the EKS cluster, which this option fails to address adequately.
This option is incorrect because it suggests configuring the application account’s deployment IAM role to trust the AWS Control Tower management account. However, the management account is not directly involved in the deployment process between the centralized DevOps account and the application account. The deployment IAM role should trust the DevOps account instead for proper role assumption and access to the EKS cluster.