Add new user to manage AWS EKS
When you create an Amazon EKS cluster, the IAM entity user or role that creates the cluster is automatically granted system:master
permissions in the EKS cluster's RBAC configuration. You should not create the cluster with root account. Instead create a user or if you want to install EKS with aws cli create IAM role for the EC2 instance that you are going to run aws cli commands or cloudformation template.
To grant additional AWS users or roles the ability to interact with your cluster, you must add new user or role into the aws-auth
ConfigMap
To grant an AWS user for EKS management, create a policy like above and attach to the user or user’s group.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:*"
],
"Resource": "*"
}
]
}
Update aws-auth configmap with your current EKS admin user/role
$ kubectl edit -n kube-system configmaps aws-auth
By default you will have only one mapRoles section in this command output.
apiVersion: v1
data:
mapRoles: |
— rolearn: arn:aws:iam::xxxx:role/my-ec2-instance-role-eks-nodes
username: system:node:{{EC2PrivateDNSName}}
groups:
— system:bootstrappers
— system:nodes
You can add your newly created eks admin user in the following format.
mapUsers: |
— userarn: arn:aws:iam::xxx:user/ismailyenigul
username: ismailyenigul
groups:
— system:masters
If you have rolearn from your account or trusted account you can add this with -rolearn
parameter. Here is a complete version of aws-auth config map for a new user an new role.
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
— rolearn: arn:aws:iam::xxx:role/my-ec2-instance-role-eks-nodes
username: system:node:{{EC2PrivateDNSName}}
groups:
— system:bootstrappers
— system:nodes
— rolearn: arn:aws:iam::xxx:role/eks-full-admin
username: full-eks-master
groups:
— system:masters
mapUsers: |
— userarn: arn:aws:iam::xx:user/ismailyenigul
username: ismailyenigul
groups:
— system:masters
save and exit from kubectl edit -n kube-system configmaps aws-auth
$ kubectl edit -n kube-system configmaps aws-auth
configmap/aws-auth edited
Now we completed EKS Cluster configuration. You can continue setup environment for your new eks admin.
Install kubectl
and aws-iam-authenticator
on your laptop or instance you will manage EKS. You can get the installation instruction for your OS.
aws-iam-authenticator
command must be in your PATH. and You have at least version 1.16.73
of the AWS CLI installed. Otherwise you will not able to run aws eks
commands.
NoteIf you're running the AWS CLI version 1.16.156 or later, then you don't need to install the authenticator. Instead, you can use the aws eks get-token command. For more information, see Create kubeconfig manually.
After you installed kubectl
, awscli
and aws-iam-authenticator,
create Access Keys (Access Key ID and Secret Access Key) for your IAM user. Configure aws cli with your new key.
$ aws configure
AWS Access Key ID [****************NDFA]:
AWS Secret Access Key [****************X9qD]:
Default region name [us-west-1]:
Default output format [None]:
To test your user permissions, run aws eks list-clusters
$ aws eks list-clusters
{
"clusters": [
"my-eks-cluster"
]
}
To create a kubeconfig for Amazon EKS, run the following command. use your region and eks-cluster name.
$ aws eks update-kubeconfig — region us-west-1 — name my-eks-cluster
Updated context arn:aws:eks:us-west-1:49728xxxx:cluster/my-eks-cluster in /Users/ismailyenigul/.kube/config
Run basic kubectl
commands kubectl get node
or kubectl get pods
to test your access.
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
external-dns-55553-l57vd 1/1 Running 0 8h
All done.
Ismail YENIGUL
Follow us on Twitter 🐦 and Facebook 👥 and join our Facebook Group 💬.
To join our community Slack 🗣️ and read our weekly Faun topics 🗞️, click here⬇