Provide access to other IAM users and roles to AWS EKS after cluster creation.
Today we will provide access to other IAM users and roles to exiting AWS EKS cluster.
Use SSH to connect to the kubectl instance.
Check if you have the kubctl permission:
1kubectl get pods
Output
1error: You must be logged in to the server (Unauthorized).
Note: This error means that IAM user doesn't have authorization to access the Amazon EKS cluster. Now you need to provide the permission.
- Get IAM user details:
1aws sts get-caller-identity
- Configure the AWS access key ID and the AWS secret access key by running the following command:
1aws configure --profile test-iam
- Verify that IAM has access to the cluster by running the following command:
1kubectl get pods
Note: You get an unauthorized error message, then check the IAM permission in IAM console and provide EKS permission.
- Now, Edit the aws-auth ConfigMap. Open the ConfigMap for editing.
1kubectl edit -n kube-system configmap/aws-auth
- Add your IAM users, roles, or AWS accounts to the ConfigMap.
Note: You cannot add IAM groups to the ConfigMap.
1apiVersion: v1
2kind: ConfigMap
3metadata:
4 name: aws-auth
5 namespace: kube-system
6data:
7 mapRoles: |
8 - rolearn: arn:aws:iam::<account-id>:role/EKS-Worker-NodeInstanceRole
9 username: system:node:{{EC2PrivateDNSName}}
10 groups:
11 - system:bootstrappers
12 - system:nodes
13 mapUsers: |
14 - userarn: arn:aws:iam::<account-id>:user/test-iam-user
15 username: test-iam-user
16 groups:
17 - system:masters
18 - rolearn: arn:aws:iam::<account-id>:role/test-iam-role
19 username: test-iam-role
20 groups:
21 - system:masters
Save the file and exit your text editor.
Check to the applied the aws-auth ConfigMap.
1kubectl describe configmap -n kube-system aws-auth