How to enable IAM and AWS SSO access to EKS

eks aws iam

When an EKS cluster is created, the user that created the cluster is the owner and is granted permanent admin access to the cluster.

I’m going to show you how to use IAM roles and AWS SSO to manage access to EKS.

First, create an EKS cluster.

Once you have an EKS cluster, you’ll to get kubectl access to it.

Note that you’ll need to have aws-cli installed if you don’t have it already.

You can find the instructions on how to do that here.

Once you have aws-cli installed, run:

aws eks update-kubeconfig --name <name of your cluster>

This updates your ~/.kubeconfig to be able to access your cluster from your machine.

You’ll need kubectl installed for the next steps if you don’t have it already.

Here’s a link to the documentation on installing kubectl

Let’s test your connection to your cluster with:

kubectl get ns

You should get some results back for the namespaces created by default.

EKS clusters store AWS authentication configuration in a kubernetes ConfigMap in the kube-system namespace.

Let’s edit it:

kubectl edit configmap/aws-auth -n kube-system

You’ll see something that looks like this:

apiVersion: v1
data:
  mapAccounts: |
        []
  mapRoles: |
        # redacted
  mapUsers: |
        []
kind: ConfigMap

To allow an AWS IAM role to access your cluster, you need to modify the mapRoles section.

Find the ARN of the IAM role that you’d like to have access to the cluster and add an entry that looks like this:

apiVersion: v1
data:
  mapAccounts: |
        []
  mapRoles: |
    - "groups":
      - "system:masters"
      "rolearn": "arn:aws:iam::<AWS ACCOUNT ID>:role/AWSReservedSSO_AWSAdministratorAccess_xxxxxxxxxxxxx"
      "username": "admin"    
  mapUsers: |
        []
kind: ConfigMap

The username can be set to anything.

Set the rolearn value to be the arn of the IAM role you found earlier.

Note: For SSO roles, you might find that in the IAM console it has additional segments in the middle that I didn’t put here.

arn:aws:iam::<AWS ACCOUNT ID>:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_AWSAdministratorAccess_xxxxxxxxxxxxx

You have to remove the /aws-reserved/sso.amazonaws.com/us-east-1 section like I did above or it won’t work.

Save your aws-auth and you should now be able to access the cluster using the role you just mapped.