Add User to AWS EKS

When you create an Amazon EKS cluster, the IAM entity user or role, such as a federated user that creates the cluster, is automatically granted system:masters permissions in the cluster's RBAC configuration.

To grant additional AWS users or roles the ability to interact with your cluster, you must edit the aws-auth ConfigMap within Kubernetes.

aws-auth ConfigMap can be found in kube-system namespace.

To add an IAM user or role to an Amazon EKS cluster

1. Create a AWS IAM role/user with mentioned policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eks:DescribeCluster"
            ],
            "Resource": "arn:aws:eks:*:*:cluster/<cluster-name>*"
        }
    ]
}

2. Open the aws-auth ConfigMap.

kubectl edit -n kube-system configmap/aws-auth

Example aws-auth configmap

apiVersion: v1 
data:   
  mapUsers: |     
  - userarn: arn:aws:iam::555555555555:user/myiamuser
    username: my-user  
    groups:         
    - mygroup       
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system

Here you can add your AWS IAM role/user, which then can be mapped with a kubernetes group.

Create a kubernetes group

Caution: The prefix system: is reserved for Kubernetes system use, so you should ensure that you don't have groups with names that start with system: by accident. Other than this special prefix, the RBAC authorization system does not require any format for usernames.

In our aws-auth configmap we have mentioned group as mygroup. So now lets see how we can create this group.

There is no real existence of kuberentes groups, that means we can not get groups by using “kubectl get group”.

So to create a kubernetes group we need to create RoleBinding/ClusterRoleBinding like in the example below.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-secrets-global
subjects:
- kind: Group
  name: mygroup
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: secret-reader
  apiGroup: rbac.authorization.k8s.io

When we apply this manifest what we get is, a kubernetes group named as mygroup. Which then can be used in aws-auth configmap.

Accessing EKS cluster

Now we completed EKS Cluster configuration. You can continue setup environment for your new eks user “my-user”. Which will be having all set of privileges in EKS cluster which is given to the defined group.

Install kubectl, awscli and aws-iam-authenticator on your system. You can get the installation instruction for your OS. You can follow this official AWS documentation for installing these tools.

After you installed kubectl, awscli and aws-iam-authenticator, create Access Keys (Access Key ID and Secret Access Key) for your IAM user. Configure aws cli to use your key.

$ aws configure 
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLEID 
AWS Secret Access Key [None]: wJalrXUtnFE7MDEXAMPLEKEY 
Default region name [None]: us-west-2 
Default output format [None]: json

Now lets create a kubeconfig for, run the following command.

aws eks update-kubeconfig — region <you-region> — name <EKS-cluster-name>

Now you can run kubectl command to test access.

If you have followed this guide then you only have access for kubernetes secrets.