Add new user to manage AWS EKS
When you create an Amazon EKS cluster, the IAM entity user or role that creates the cluster is automatically granted system:master permissions in the EKS cluster's RBAC configuration. You should not create the cluster with root account. Instead create a user or if you want to install EKS with aws cli create IAM role for the EC2 instance that you are going to run aws cli commands or cloudformation template.
To grant additional AWS users or roles the ability to interact with your cluster, you must add new user or role into the aws-auth ConfigMap
To grant an AWS user for EKS management, create a policy like above and attach to the user or user’s group.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:*"
],
"Resource": "*"
}
]
}Update aws-auth configmap with your current EKS admin user/role
$ kubectl edit -n kube-system configmaps aws-authBy default you will have only one mapRoles section in this command output.
apiVersion: v1
data:
mapRoles: |
— rolearn: arn:aws:iam::xxxx:role/my-ec2-instance-role-eks-nodes
username: system:node:{{EC2PrivateDNSName}}
groups:
— system:bootstrappers
— system:nodesYou can add your newly created eks admin user in the following format.
mapUsers: |
— userarn: arn:aws:iam::xxx:user/ismailyenigul
username: ismailyenigul
groups:
— system:mastersIf you have rolearn from your account or trusted account you can add this with -rolearn parameter. Here is a complete version of aws-auth config map for a new user an new role.
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
— rolearn: arn:aws:iam::xxx:role/my-ec2-instance-role-eks-nodes
username: system:node:{{EC2PrivateDNSName}}
groups:
— system:bootstrappers
— system:nodes
— rolearn: arn:aws:iam::xxx:role/eks-full-admin
username: full-eks-master
groups:
— system:masters
mapUsers: |
— userarn: arn:aws:iam::xx:user/ismailyenigul
username: ismailyenigul
groups:
— system:masterssave and exit from kubectl edit -n kube-system configmaps aws-auth
$ kubectl edit -n kube-system configmaps aws-auth
configmap/aws-auth editedNow we completed EKS Cluster configuration. You can continue setup environment for your new eks admin.
Install kubectl and aws-iam-authenticator on your laptop or instance you will manage EKS. You can get the installation instruction for your OS.
aws-iam-authenticator command must be in your PATH. and You have at least version 1.16.73 of the AWS CLI installed. Otherwise you will not able to run aws eks commands.
NoteIf you're running the AWS CLI version 1.16.156 or later, then you don't need to install the authenticator. Instead, you can use the aws eks get-token command. For more information, see Create kubeconfig manually.
After you installed kubectl, awscli and aws-iam-authenticator, create Access Keys (Access Key ID and Secret Access Key) for your IAM user. Configure aws cli with your new key.
$ aws configure
AWS Access Key ID [****************NDFA]:
AWS Secret Access Key [****************X9qD]:
Default region name [us-west-1]:
Default output format [None]:To test your user permissions, run aws eks list-clusters
$ aws eks list-clusters
{
"clusters": [
"my-eks-cluster"
]
}To create a kubeconfig for Amazon EKS, run the following command. use your region and eks-cluster name.
$ aws eks update-kubeconfig — region us-west-1 — name my-eks-cluster
Updated context arn:aws:eks:us-west-1:49728xxxx:cluster/my-eks-cluster in /Users/ismailyenigul/.kube/configRun basic kubectl commands kubectl get node or kubectl get pods to test your access.
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
external-dns-55553-l57vd 1/1 Running 0 8hAll done.
Ismail YENIGUL
Follow us on Twitter 🐦 and Facebook 👥 and join our Facebook Group 💬.
To join our community Slack 🗣️ and read our weekly Faun topics 🗞️, click here⬇
