Post

Create AWS IAM Role for accessing the EKS namespace

Posted Updated
By Senad Dizdarević 1 min read

This guide delves into the essential process of creating an AWS IAM Role tailored specifically for accessing an EKS namespace. By following the steps outlined in this tutorial, you’ll gain a comprehensive understanding of how to set up fine-grained access control, enhancing the security and manageability of your Kubernetes workloads on AWS EKS.

1. Create the IAM Role

  • Attach a policy to the IAM role that grants permissions to assume the role.
    1
2
3
4
5
6
7
8
9
10

    {
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": "sts:AssumeRole",
          "Resource": "arn:aws:iam::YOUR_ACCOUNT_ID:role/YOUR_ROLE_NAME"
      }
  ]
}
    • Update the Trust Relationship of the Role.
      1
2
3
4
5
6
7
8
9
10
11
12

      {
"Version": "2012-10-17",
"Statement": [
  {
    "Effect": "Allow",
    "Principal": {
      "AWS": "arn:aws:iam::YOUR_ACCOUNT_ID:group/GROUP_NAME"
    },
    "Action": "sts:AssumeRole"
  }
]
}

2. Retrieve the existing aws-auth ConfigMap.

1

kubectl get configmap aws-auth -n kube-system -o yaml > aws-auth-cm.yaml

3. Edit aws-auth-cm.yaml to add your role mapping.

1
2
3
4
5
6
7
8
9
10
11

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - rolearn: arn:aws:iam::YOUR_ACCOUNT_ID:role/YOUR_ROLE_NAME
      username: YOUR_ROLE_NAME
      groups:
        - system:authenticated

4. Apply the updated ConfigMap:

1

kubectl apply -f aws-auth-cm.yaml

5. Set up Kubernetes RBAC.

  • namespace-role.yaml:
1
2
3
4
5
6
7
8
9

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: YOUR_NAMESPACE
  name: namespace-role
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]  # Adjust the permissions as needed
  • namespace-rolebinding.yaml:
1
2
3
4
5
6
7
8
9
10
11
12
13

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-rolebinding
  namespace: YOUR_NAMESPACE
subjects:
- kind: User
  name: "arn:aws:iam::YOUR_ACCOUNT_ID:role/YOUR_ROLE_NAME"
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: namespace-role
  apiGroup: rbac.authorization.k8s.io

6. Apply changes to the EKS cluster

1
2

kubectl apply -f namespace-role.yaml
kubectl apply -f namespace-rolebinding.yaml

EKS, IAM
iam aws eks role
This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.