Answer-first summary for fast verification
Answer: Configure the application account’s deployment IAM role to have a trust relationship with the centralized DevOps account. Configure the trust relationship to allow the sts:AssumeRole action. Configure the application account’s deployment IAM role to have the required access to the EKS cluster. Configure the EKS cluster aws-auth ConfigMap to map the role to the appropriate system permissions.
The correct answer is A. The issue arises because the IAM role used by CodeBuild in the centralized DevOps account does not have the necessary permissions to assume the deployment role in the application's AWS account. To resolve this, you need to configure the application account’s deployment IAM role to trust the centralized DevOps account, which allows it to assume the role using sts:AssumeRole. Additionally, the application account’s deployment IAM role needs the required access permissions to manage the EKS cluster, and these permissions must be mapped in the EKS cluster's aws-auth ConfigMap to the appropriate system permissions. This setup ensures that the deployment process can successfully connect to and manage the EKS cluster across accounts.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company uses AWS Control Tower to manage multiple AWS accounts, with each application team having its own account for hosting applications. These accounts are organized under an AWS Organizations umbrella. A centralized DevOps account within AWS Control Tower is responsible for managing CI/CD pipelines that application teams use to deploy their applications to their respective AWS accounts. There is an IAM role for deployment in both the centralized DevOps account and the application accounts. An application team is currently attempting to deploy their application to an Amazon Elastic Kubernetes Service (Amazon EKS) cluster located in their application AWS account. The deployment process involves an AWS CodeBuild project set up in the centralized DevOps account, which utilizes an IAM service role for CodeBuild. The deployment is encountering an Unauthorized error when the CodeBuild project tries to connect to the EKS cluster in the application account. What configuration change will rectify this Unauthorized error?
A
Configure the application account’s deployment IAM role to have a trust relationship with the centralized DevOps account. Configure the trust relationship to allow the sts:AssumeRole action. Configure the application account’s deployment IAM role to have the required access to the EKS cluster. Configure the EKS cluster aws-auth ConfigMap to map the role to the appropriate system permissions.
B
Configure the centralized DevOps account’s deployment IAM role to have a trust relationship with the application account. Configure the trust relationship to allow the sts:AssumeRole action. Configure the centralized DevOps account’s deployment IAM role to allow the required access to CodeBuild.
C
Configure the centralized DevOps account’s deployment IAM role to have a trust relationship with the application account. Configure the trust relationship to allow the sts:AssumeRoleWithSAML action. Configure the centralized DevOps account’s deployment IAM role to allow the required access to CodeBuild.
D
Configure the application account’s deployment IAM role to have a trust relationship with the AWS Control Tower management account. Configure the trust relationship to allow the sts:AssumeRole action. Configure the application account’s deployment IAM role to have the required access to the EKS cluster. Configure the EKS cluster aws-auth ConfigMap to map the role to the appropriate system permissions.