How to enable IAM and AWS SSO access to EKS
When an EKS cluster is created, the user that created the cluster is the owner and is granted permanent admin access to the cluster.
I’m going to show you how to use IAM roles and AWS SSO to manage access to EKS.
First, create an EKS cluster.
Once you have an EKS cluster, you’ll to get
kubectl access to it.
Note that you’ll need to have
aws-cli installed if you don’t have it already.
You can find the instructions on how to do that here.
Once you have
aws-cli installed, run:
aws eks update-kubeconfig --name <name of your cluster>
This updates your
~/.kubeconfig to be able to access your cluster from your machine.
kubectl installed for the next steps if you don’t have it already.
Let’s test your connection to your cluster with:
kubectl get ns
You should get some results back for the namespaces created by default.
EKS clusters store AWS authentication configuration in a kubernetes
ConfigMap in the
Let’s edit it:
kubectl edit configmap/aws-auth -n kube-system
You’ll see something that looks like this:
apiVersion: v1 data: mapAccounts: |  mapRoles: | # redacted mapUsers: |  kind: ConfigMap
To allow an AWS IAM role to access your cluster, you need to modify the
Find the ARN of the IAM role that you’d like to have access to the cluster and add an entry that looks like this:
apiVersion: v1 data: mapAccounts: |  mapRoles: | - "groups": - "system:masters" "rolearn": "arn:aws:iam::<AWS ACCOUNT ID>:role/AWSReservedSSO_AWSAdministratorAccess_xxxxxxxxxxxxx" "username": "admin" mapUsers: |  kind: ConfigMap
username can be set to anything.
rolearn value to be the
arn of the IAM role you found earlier.
Note: For SSO roles, you might find that in the IAM console it has additional segments in the middle that I didn’t put here.
arn:aws:iam::<AWS ACCOUNT ID>:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_AWSAdministratorAccess_xxxxxxxxxxxxx
You have to remove the
/aws-reserved/sso.amazonaws.com/us-east-1 section like I did above or it won’t work.
aws-auth and you should now be able to access the cluster using the role you just mapped.