In the previous article, you learned how to set up Kubernetes Authentication using IAM users, but as mentioned, adding IAM users to the cluster should be used for breakglass or automation purposes. In this article, we explain how to setup EKS authentication using IAM roles so that we create an IAM role that can be assumed by IAM users, and we add that IAM role to the cluster aws-auth
configmap. When users want to connect to the cluster, they should assume the role and authenticate using the IAM role.
Follow our social media:
https://www.linkedin.com/in/ssbostan
https://www.linkedin.com/company/kubedemy
https://www.youtube.com/@kubedemy
Register for the FREE EKS Tutorial:
If you want to access the course materials, register from the following link:
Register for the FREE AWS EKS Black Belt Course
Why IAM Roles over IAM Users?
Using IAM Roles allows us to create an abstraction between individuals and clusters. If an employee leaves our team, we only need to remove his IAM user and its principal from the IAM role trust policy to remove his access. So, we don’t need to change anything inside the clusters or update the aws-auth
config in all clusters one by one.
EKS Authentication with IAM Role setup procedure:
- Create a new IAM user and access key.
- Create a new IAM role to be assumed by cluster admins.
- Attach EKS DescribeCluster permission to the role.
- Add IAM role configuration to the
aws-auth
configmap. - Create a new AWS CLI profile to assume the role.
- Update the Kubeconfig file and access the cluster.
Step 1 – Create IAM User and Access Key:
Read the following article to create a new IAM user to authenticate to the cluster through role impersonation. Note that you must only create an IAM user and access key. Don’t assign eks:DescribeCluster
or any other permissions to the user.
AWS EKS – Part 18 – Kubernetes Authentication with AWS IAM Users
aws iam create-user \
--user-name kubedemy \
--tags Key=owner,Value=kubedemy
aws iam create-access-key \
--user-name kubedemy
Step 2 – Create IAM role for EKS Authentication:
To create an IAM role to be assumed by our engineers, Kubernetes Admins, we must create a trust policy and add their IAM user ARNs to allow them to assume the role. After that, we must attach all required permissions to this role.
cat <<EOF > kubernetes-admin-trust-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::231144931069:user/kubedemy"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
aws iam create-role \
--role-name Kubedemy_EKS_KubernetesAdmin \
--assume-role-policy-document file://kubernetes-admin-trust-policy.json \
--tags Key=owner,Value=kubedemy
Step 3 – Attach EKS DescribeCluster permission:
Add the following permissions to the IAM role to allow users to run aws eks update-kubeconfig
command. Ignore this step if you intend to use get-token
instead.
cat <<EOF > describe-kubedemy-cluster.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "arn:aws:eks:eu-west-2:231144931069:cluster/kubedemy",
"Action": "eks:DescribeCluster"
}
]
}
EOF
aws iam put-role-policy \
--role-name Kubedemy_EKS_KubernetesAdmin \
--policy-name Describe_Kubedemy_Cluster \
--policy-document file://describe-kubedemy-cluster.json
Step 4 – Configure AWS EKS Authentication:
To allow users who assumed the role access the cluster, add the IAM role, username in the cluster, and groups in aws-auth
configmap in kube-system
namespace. If you don’t have any worker nodes in the cluster, you must create it. Also, remember to keep worker nodes’ configurations to avoid cluster and worker node interruptions.
cat <<EOF > aws-auth.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
# Remember to keep worker nodes configurations.
mapRoles: |
- rolearn: arn:aws:iam::231144931069:role/Kubedemy_EKS_KubernetesAdmin
username: admin:{{AccessKeyID}}:{{SessionName}}
groups:
- system:masters
EOF
To apply it to the cluster, run the following command:
kubectl apply -f aws-auth.yaml
Step 5 – Configure AWS CLI to assume IAM Role:
You must create a new profile in the AWS CLI config file to assume the role and communicate to AWS APIs with the role permissions. Use the following command to add a new profile to your existing AWS CLI configuration.
cat <<EOF >> ~/.aws/config
[profile KubernetesAdmin]
role_arn = arn:aws:iam::231144931069:role/Kubedemy_EKS_KubernetesAdmin
source_profile = default
region = eu-west-2
output = json
EOF
AWS CLI config file should look like this:
Step 6 – Create Kubeconfig and Access the cluster:
Use the following commands to update the kubeconfig file and check your access. As you can see, you have system:masters
access through assuming the role.
aws --profile KubernetesAdmin eks update-kubeconfig --name kubedemy
kubectl auth whoami
Results:
Here are the results of the previous commands; we need them in the next articles:
IAM Username | kubedemy |
IAM User ARN | arn:aws:iam::231144931069:user/kubedemy |
IAM Role Name | Kubedemy_EKS_KubernetesAdmin |
IAM Role ARN | arn:aws:iam::231144931069:role/Kubedemy_EKS_KubernetesAdmin |
Username in Cluster | admin:{{AccessKeyID}}:{{SessionName}} |
Groups in Cluster | system:masters |
Conclusion:
Authenticating to EKS clusters using IAM Roles is the best practice for those ones use IAM principals for authentication. If you have OIDC for SSO authentication, it’s better to integrate it with Kubernetes clusters as well. In future articles, you will learn how to setup EKS authentication with the OIDC protocol, which is the best of the best.
If you like this series of articles, please share them and write your thoughts as comments here. Your feedback encourages me to complete this massively planned program. Just share them and provide feedback. I’ll make you an AWS EKS black belt.
Follow my LinkedIn https://www.linkedin.com/in/ssbostan
Follow Kubedemy LinkedIn https://www.linkedin.com/company/kubedemy
Follow Kubedemy Telegram https://telegram.me/kubedemy