In my previous articles , I have explained how to create EKS cluster using AWS Console and EKSCTL.

In this guide , We will learn how to grant access to the EKS cluster for an IAM user , So that they are able to manage and deploy applications in the cluster.

User management is configured in kube-system namespace using aws-auth configmap.

Steps Involved

  • Check If aws-auth Configmap is already applied in the Cluster.
  • Add aws-auth configmap is not present.
  • Add IAM users.
  • Create or add kube-config to access the cluster.

Check aws-auth ConfigMap

When we create an EKS cluster , The user who creates an EKS cluster will be granted system:masters permission which will be added to RBAC configuration of the cluster.

Here we are going to grant permissions for other IAM users by modifying the aws-auth configmap of the cluster.

To check the aws-auth Configmap , Use the below command.

kubectl describe configmap -n kube-system aws-auth

You will get an response like this.

EKS Cluster

If you get an error that configmaps “aws-auth” was not found , Then we need to add the basic aws-auth config map to the cluster.

Download the Configmap

Using the below command , download the default Configmap,

curl -o aws-auth-cm.yaml https://amazon-eks.s3.us-west-2.amazonaws.com/cloudformation/2020-05-08/aws-auth-cm.yaml

Once downloaded , Open the aws-auth-cm.yaml file.

You will see the default configuration as shown below.

EKS Cluster

Here we need to add the rolearn.

The ARN of the role which is attached with the worker nodes.Once you applied with the ARN of the role in the aws -auth-cm.yaml file , We need to apply the configuration in the kubernetes cluster.

kubectl apply -f aws-auth-cm.yaml

Before applying the above step make sure you have configured kubectl in your local system.

After applying the cganges in the Cluster , Once the cluster is ready , Lets go ahead and add the users to the Cluster.

Adding IAM user to the EKS Cluster

Open the aws-auth Configmap using the below command.

kubectl edit -n kube-system configmap/aws-auth

You will see something like this.

apiVersion: v1
 data:
   mapRoles: |
     - rolearn: arn:aws:iam::609251626283:role/eksctl-eks-testing-nodegroup-eks-NodeInstanceRole-1M833T89FKKQW
       username: system:node:{{EC2PrivateDNSName}}
       groups:
         - system:bootstrappers
         - system:nodes
   mapUsers: |
     []

We can either add an IAM user or an IAM Role to the above configmap under mapUsers.

To add an IAM user under mapUsers we need the following details.

  • userarn – The ARN of the IAM user.
  • username – The username within the kubernetes that will map with the actual IAM user.
  • groups – The lists of groups within the kubernetes cluster to which the user should be added.

To add an IAM Role under mapRoles we need the following details.

  • rolearn – The ARN of the IAM Role
  • username – The username within the kubernetes that will map with the actual IAM role.
  • groups – The lists of groups within the kubernetes cluster to which the role should be added.

Important Note:

Form the above configmap we can see that the permission for the cluster can be granted either as IAM user or the IAM Role.

  • mapRoles – It will add the Worker nodes IAM Roles so that the worker nodes can register with the kubernetes cluster
  • mapUsers – IAM users will be added under a group with the permissions.

Adding IAM User

As discussed above , To add an IAM user we should use mapUsers

Add the below configuration under the mapUsers so that the IAM user : test (for example) will be granted permission to access the cluster.

mapUsers: |
     - userarn: arn:aws:iam::858273673526:user/test
       username: test
       groups:
         - system:masters

Once added , Save and close the file.

Now the IAM user : test have necessary permission to access and manage the eks cluster.

To access the cluster , The user should have configured aws cli and kubectl configured with the appropriate privileges for managing the cluster.

To Create or update the kube-config for the EKS , Run the below command.

aws eks --region ap-south-1 update-kubeconfig --name test-cluster

To test the configuration , Use the below command.

kubectl get svc 
kubectl get nodes

The test user should be access to deploy applications and manage the cluster using kubectl.

Conclusion

We have successfully added an IAM user to the existing EKS cluster and granted permission , So that he/she will be able to manage the Kubernetes cluster.

Hope you find it helpful.Thanks for reading this article.

Check out my other publications.