How To Allow IAM User To Access EKS Resources

Reading Time: 3 minutes

Hi Reader In this blog we are going to learn about How to Allow AWS IAM User To Access EKS Resources From AWS Console. When we create EKS Cluster by default EKS does not allow IAM users to access Its resources by AWS console. So we are going to find out the solution for how an IAM user can access EKS resources.

When you try to view resources from AWS Console you will see something like this in below image:

AWS Authenticator

AWS IAM Authenticator is a component that resides inside the EKS cluster’s control plane that enables authentication using AWS IAM identities such as users and roles. If you want to access your EKS Cluster using an IAM user then this can be enabled by the AWS authenticator. The configuration of the AWS authenticator resides on the master node as configmap inside kube-system as aws-auth. You have to specify user arn to allow users to access your cluster.

Default Configmap

The default configmap manifest look like this:

The above file is a default aws-auth ConfigMap and only the node instance role has access to the cluster.

Allow IAM User To Access EKS Resources

To allow users to access the EKS cluster we need to add users arn in Configmap that is deployed on the EKS control plane under the kube-system namespace. Use the below command to edit the configmap.

$ kubectl edit configmap aws-auth -n kube-system

Requirements:

  • Make sure the user that you are signed into the AWS Management Console or the role that you switch to once you’re signed in, must have specific minimum IAM and Kubernetes permissions.
  • userarn The arn of the IAM user to add
  • username: The user name within Kubernetes to map to the IAM user.
  • groups: The group in which you want to map a user. You can map a user to a list of groups. The group can be a default group or a group specified in a clusterrolebinding or rolebinding. For more information, see Default Roles and Role Bindings in the Kubernetes documentation.

save the configmap and you will be able to access EKS resources from the console. I have added a user in system:basic-user group which allows a user read-only access to basic information about themselves. You can add a user to multiple groups.

reference: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html

Conclusion

In this blog, we learn about how to give permission to an IAM user to your EKS Cluster. By default, EKS doesn’t allow AWS IAM user to access their resources, it only allows the IAM user who has created the EKS cluster. I hope you liked this blog. Thank You.

Written by 

Jubair Ahmad is a Software Consultant (DevOps)at Knoldus.Inc.He loves learning new technology and also have interest in playing cricket.