Provide access to other IAM users and roles to AWS EKS after cluster creation.
Today we will provide access to other IAM users and roles to exiting AWS EKS cluster.
-
Use SSH to connect to the kubectl instance.
-
Check if you have the kubctl permission:
1kubectl get pods
Output
1error: You must be logged in to the server (Unauthorized).
Note: This error means that IAM user doesn't have authorization to access the Amazon EKS cluster. Now you need to provide the permission.
- Get IAM user details:
1aws sts get-caller-identity
- Configure the AWS access key ID and the AWS secret access key by running the following command:
1aws configure --profile test-iam
- Verify that IAM has access to the cluster by running the following command:
1kubectl get pods
Note: You get an unauthorized error message, then check the IAM permission in IAM console and provide EKS permission.
- Now, Edit the aws-auth ConfigMap. Open the ConfigMap for editing.
1kubectl edit -n kube-system configmap/aws-auth
- Add your IAM users, roles, or AWS accounts to the ConfigMap.
Note: You cannot add IAM groups to the ConfigMap.
1apiVersion: v1
2kind: ConfigMap
3metadata:
4 name: aws-auth
5 namespace: kube-system
6data:
7 mapRoles: |
8 - rolearn: arn:aws:iam::<account-id>:role/EKS-Worker-NodeInstanceRole
9 username: system:node:{{EC2PrivateDNSName}}
10 groups:
11 - system:bootstrappers
12 - system:nodes
13 mapUsers: |
14 - userarn: arn:aws:iam::<account-id>:user/test-iam-user
15 username: test-iam-user
16 groups:
17 - system:masters
18 - rolearn: arn:aws:iam::<account-id>:role/test-iam-role
19 username: test-iam-role
20 groups:
21 - system:masters
-
Save the file and exit your text editor.
-
Check to the applied the aws-auth ConfigMap.
1kubectl describe configmap -n kube-system aws-auth