Post

Add additional IAM users/roles to EKS ConfigMap

Posted Updated
By Senad Dizdarević 2 min read

To add additional IAM users to an Amazon Elastic Kubernetes Service (EKS) cluster’s ConfigMap, you typically use the aws-auth ConfigMap to define the IAM roles or users that are authorized to interact with the cluster. Here are the steps to add IAM users to the aws-auth ConfigMap:

  1. Create IAM Group, Role and User:
    • Create IAM group, role or user that you want to associate with your EKS cluster.
    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

    NAME="<name>"
    
ACCOUNT_ID=$(aws sts get-caller-identity --output text --query Account --no-cli-pager)
POLICY=$(echo -n '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::'; echo -n     "$ACCOUNT_ID"; echo -n ':root"},"Action":"sts:AssumeRole","Condition":{}}]}')
    
aws iam create-role \
  --role-name "$NAME" \
  --description "EKS role." \
  --assume-role-policy-document "$POLICY" \
  --output text \
  --query 'Role.Arn' \
  --no-cli-pager 
    
aws iam create-group --group-name "$NAME" --no-cli-pager

ADMIN_GROUP_POLICY=$(echo -n '{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAssumeOrganizationAccountRole",
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::'; echo -n "$ACCOUNT_ID"; echo -n ':role/'"$NAME"'-eks-admin"
    }
  ]
}')

aws iam put-group-policy \
  --group-name "$NAME"-eks-admin \
  --policy-name "$NAME"-eks-admin-policy \
  --policy-document "$ADMIN_GROUP_POLICY" \
  --no-cli-pager 

aws iam create-user --user-name "$NAME" --no-cli-pager
aws iam add-user-to-group --group-name "$NAME" --user-name "$NAME"

  2. Associate IAM Roles/Users with the EKS Cluster:

    • To edit the aws-auth ConfigMap, you must log in as an EKS cluster administrator user. Then, you can use the kubectl edit command or create a YAML file to apply changes.
      1

      kubectl get configmap aws-auth -n kube-system -o yaml > aws-auth-cm.yaml

      Get current ConfigMap from EKS

  3. Edit the aws-auth ConfigMap:
    • Here’s an example of a YAML file to associate an IAM user with your EKS cluster:

    aws-auth-cm.yaml

    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

    apiVersion: v1
kind: ConfigMap
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::123456789012:user/your-iam-user
      username: your-eks-username-1
    - groups:
      - system:masters
      rolearn: arn:aws:iam::123456789012:user/your-iam-user-2
      username: your-eks-username-2
    []
metadata:
  name: aws-auth
  namespace: kube-system

    Replace arn:aws:iam::123456789012:user/your-iam-user with the actual IAM user ARN you want to associate with your cluster and your-eks-username with the desired Kubernetes username.

  4. Apply the ConfigMap:
    • If you’ve created the YAML file as shown above, you can apply it using the kubectl apply command:
      1

      kubectl apply -f aws-auth-cm.yaml

      If you used kubectl edit, save the changes.

  5. Test Access:
    • After applying the ConfigMap, the IAM user should have access to your EKS cluster as specified in the aws-auth ConfigMap.
      1

      kubectl get pods -A

Please make sure that the IAM user or role you associate with your EKS cluster has the necessary permissions for the actions they need to perform within the cluster.

Remember that IAM roles should be used for worker nodes (for nodes to access AWS services), while IAM users are typically used for cluster administration purposes. Be cautious when granting extensive permissions to IAM users, especially those mapped to system:masters, as they will have full control over the cluster. Always follow the principle of least privilege for security.

EKS, EKS Basics
aws eks
This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.