Provide access to other IAM users and roles to AWS EKS after cluster creation.

Today we will provide access to other IAM users and roles to exiting AWS EKS cluster.

  • Use SSH to connect to the kubectl instance.

  • Check if you have the kubctl permission:

1kubectl get pods 


1error: You must be logged in to the server (Unauthorized).

Note: This error means that IAM user doesn't have authorization to access the Amazon EKS cluster. Now you need to provide the permission.

  • Get IAM user details:
1aws sts get-caller-identity
  • Configure the AWS access key ID and the AWS secret access key by running the following command:
1aws configure --profile test-iam
  • Verify that IAM has access to the cluster by running the following command:
1kubectl get pods

Note: You get an unauthorized error message, then check the IAM permission in IAM console and provide EKS permission.

  • Now, Edit the aws-auth ConfigMap. Open the ConfigMap for editing.
1kubectl edit -n kube-system configmap/aws-auth
  • Add your IAM users, roles, or AWS accounts to the ConfigMap.

Note: You cannot add IAM groups to the ConfigMap.

 1apiVersion: v1 
 2kind: ConfigMap 
 4  name: aws-auth 
 5  namespace: kube-system 
 7  mapRoles: | 
 8    - rolearn: arn:aws:iam::<account-id>:role/EKS-Worker-NodeInstanceRole 
 9      username: system:node:{{EC2PrivateDNSName}} 
10      groups: 
11        - system:bootstrappers 
12        - system:nodes 
13  mapUsers: | 
14    - userarn: arn:aws:iam::<account-id>:user/test-iam-user 
15      username: test-iam-user
16      groups: 
17        - system:masters
18    - rolearn: arn:aws:iam::<account-id>:role/test-iam-role
19      username: test-iam-role
20      groups:
21        - system:masters
  • Save the file and exit your text editor.

  • Check to the applied the aws-auth ConfigMap.

1kubectl describe configmap -n kube-system aws-auth

I ❤ AWS! Happy Cloud Computing! 🧑‍💻 Enjoy #Cloudkaramchari