AWS EKS – Part 19 – Kubernetes Authentication with IAM Roles

In the previous article, you learned how to set up Kubernetes Authentication using IAM users, but as mentioned, adding IAM users to the cluster should be used for breakglass or automation purposes. In this article, we explain how to setup EKS authentication using IAM roles so that we create an IAM role that can be assumed by IAM users, and we add that IAM role to the cluster aws-auth configmap. When users want to connect to the cluster, they should assume the role and authenticate using the IAM role.

Follow our social media:

https://www.linkedin.com/in/ssbostan

https://www.linkedin.com/company/kubedemy

https://www.youtube.com/@kubedemy

https://telegram.me/kubedemy

Register for the FREE EKS Tutorial:

If you want to access the course materials, register from the following link:

Register for the FREE AWS EKS Black Belt Course

Why IAM Roles over IAM Users?

Using IAM Roles allows us to create an abstraction between individuals and clusters. If an employee leaves our team, we only need to remove his IAM user and its principal from the IAM role trust policy to remove his access. So, we don’t need to change anything inside the clusters or update the aws-auth config in all clusters one by one.

EKS Authentication with IAM Role setup procedure:

• Create a new IAM user and access key.
• Create a new IAM role to be assumed by cluster admins.
• Attach EKS DescribeCluster permission to the role.
• Add IAM role configuration to the aws-auth configmap.
• Create a new AWS CLI profile to assume the role.
• Update the Kubeconfig file and access the cluster.

Step 1 – Create IAM User and Access Key:

Read the following article to create a new IAM user to authenticate to the cluster through role impersonation. Note that you must only create an IAM user and access key. Don’t assign eks:DescribeCluster or any other permissions to the user.

AWS EKS – Part 18 – Kubernetes Authentication with AWS IAM Users

aws iam create-user \
  --user-name kubedemy \
  --tags Key=owner,Value=kubedemy

aws iam create-access-key \
  --user-name kubedemy

Step 2 – Create IAM role for EKS Authentication:

To create an IAM role to be assumed by our engineers, Kubernetes Admins, we must create a trust policy and add their IAM user ARNs to allow them to assume the role. After that, we must attach all required permissions to this role.

cat <<EOF > kubernetes-admin-trust-policy.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::231144931069:user/kubedemy"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
EOF

aws iam create-role \
  --role-name Kubedemy_EKS_KubernetesAdmin \
  --assume-role-policy-document file://kubernetes-admin-trust-policy.json \
  --tags Key=owner,Value=kubedemy

Step 3 – Attach EKS DescribeCluster permission:

Add the following permissions to the IAM role to allow users to run aws eks update-kubeconfig command. Ignore this step if you intend to use get-token instead.

cat <<EOF > describe-kubedemy-cluster.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": "arn:aws:eks:eu-west-2:231144931069:cluster/kubedemy",
            "Action": "eks:DescribeCluster"
        }
    ]
}
EOF

aws iam put-role-policy \
  --role-name Kubedemy_EKS_KubernetesAdmin \
  --policy-name Describe_Kubedemy_Cluster \
  --policy-document file://describe-kubedemy-cluster.json

Step 4 – Configure AWS EKS Authentication:

To allow users who assumed the role access the cluster, add the IAM role, username in the cluster, and groups in aws-auth configmap in kube-system namespace. If you don’t have any worker nodes in the cluster, you must create it. Also, remember to keep worker nodes’ configurations to avoid cluster and worker node interruptions.

cat <<EOF > aws-auth.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  # Remember to keep worker nodes configurations.
  mapRoles: |
    - rolearn: arn:aws:iam::231144931069:role/Kubedemy_EKS_KubernetesAdmin
      username: admin:{{AccessKeyID}}:{{SessionName}}
      groups:
        - system:masters
EOF

To apply it to the cluster, run the following command:

kubectl apply -f aws-auth.yaml

Step 5 – Configure AWS CLI to assume IAM Role:

You must create a new profile in the AWS CLI config file to assume the role and communicate to AWS APIs with the role permissions. Use the following command to add a new profile to your existing AWS CLI configuration.

cat <<EOF >> ~/.aws/config
[profile KubernetesAdmin]
role_arn = arn:aws:iam::231144931069:role/Kubedemy_EKS_KubernetesAdmin
source_profile = default
region = eu-west-2
output = json
EOF

AWS CLI config file should look like this:

Step 6 – Create Kubeconfig and Access the cluster:

Use the following commands to update the kubeconfig file and check your access. As you can see, you have system:masters access through assuming the role.

aws --profile KubernetesAdmin eks update-kubeconfig --name kubedemy

kubectl auth whoami

Results:

Here are the results of the previous commands; we need them in the next articles:

Conclusion:

Authenticating to EKS clusters using IAM Roles is the best practice for those ones use IAM principals for authentication. If you have OIDC for SSO authentication, it’s better to integrate it with Kubernetes clusters as well. In future articles, you will learn how to setup EKS authentication with the OIDC protocol, which is the best of the best.

If you like this series of articles, please share them and write your thoughts as comments here. Your feedback encourages me to complete this massively planned program. Just share them and provide feedback. I’ll make you an AWS EKS black belt.

Follow my LinkedIn https://www.linkedin.com/in/ssbostan

Follow Kubedemy LinkedIn https://www.linkedin.com/company/kubedemy

Follow Kubedemy Telegram https://telegram.me/kubedemy