1. Access EKS when using AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
(for any user who has the key and secret, it is easy)
$ export AWS_ACCESS_KEY_ID=
$ export AWS_SECRET_ACCESS_KEY=
$ export KUBECONFIG=~/.kube/config...
2. Access EKS without AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
(for user 'xyz' who has no aws key and secret, do this)
2.1. Ask admin to update the aws-auth.cm.yaml to add the 'xyz' user to aws-auth configmap:
mapUsers: |
- userarn: arn:aws:iam::226347999999:user/xyz
username: xyz
groups:
- system:masters
2.2. Ask admin to run: kubectl apply -f aws-auth-cm.yaml
2.3. On command line window of user 'xyz', do this:
$ export KUBECONFIG=~/.kube/config...
2.4. Now user 'xyz' should be able to run:
$ kubectl get pod
** To add additional role (instead of user), you add this to configmap file under 'mapRoles' :
- rolearn: arn:aws:iam::853899999999:role/test-role
username: aws
groups:
- system:masters
username: aws
groups:
- system:masters
3. Useful commands
3.1. Get the client caller identity
$ aws sts get-caller-identity
Sample result:
{
"Account": "226347999999",
"UserId": "AIDATJM2ZIW2LLLLLLLLL",
"Arn": "arn:aws:iam::226347999999:user/jzeng"
}
3.2. Find who can access EKS
$ kubectl describe configmap aws-auth -n kube-system
Sample result:
Name: aws-auth
Namespace: kube-system
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","data":{"mapRoles":"- rolearn: arn:aws:iam::853844999999:role/co-ec-eks-node-iam-role-vpc-078a850cd7eeeeeee\n username...
Data
====
mapUsers:
----
- userarn: arn:aws:iam::226347999999:user/jzeng
username: jzeng
groups:
- system:masters
mapRoles:
----
- rolearn: arn:aws:iam::853844999999:role/co-ec-eks-node-iam-role-vpc-078a850cd7eeeeeee
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
3.3. Get access token
$ aws-iam-authenticator token -i {eks_cluster_name}
Reference:
https://aws.amazon.com/premiumsupport/knowledge-center/amazon-eks-cluster-access/
No comments:
Post a Comment