Unable to grant additional AWS roles the ability to interact with my cluster

Question

I am trying to learn AWS EKS and following Getting started with Amazon EKS – AWS Management Console and AWS CLI guide step by step except for the region which I have changed to us-east-1.

I am able to create my cluster - my-cluster but when I am trying to configure my computer which is an EC2 instance (T2.Micro) to communicate with the cluster, I get error: You must be logged in to the server (Unauthorized) error. On deep diving, I found that the EC2 role (ARN - arn:aws:iam::123456789012:role/ec2-admin) needs to assume the role that created the cluster (ARN - arn:aws:iam::123456789012:role/myAmazonEKSClusterRole). I made these modifications in the role definition as well by modifying Trust Relationship in myAmazonEKSClusterRole getting arn:aws:sts::123456789012:assumed-role/myAmazonEKSClusterRole/test-session After this, I am able to execute aws eks commands but kubectl commands are still eluding me.

For executing kubectl commands, I am trying to follow steps in Managing users or IAM roles for your cluster. However, they are asking me to make changes to aws-auth-cm.yaml configMap file which I can't do because I am unable to execute kubectl apply command.

My kubeconfig file -

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: <cert>
  name: arn:aws:eks:us-east-1:123456789012:cluster/my-cluster
contexts:
- context:
    cluster: arn:aws:eks:us-east-1:123456789012:cluster/my-cluster
    user: arn:aws:eks:us-east-1:123456789012:cluster/my-cluster
  name: arn:aws:eks:us-east-1:123456789012:cluster/my-cluster
current-context: arn:aws:eks:us-east-1:123456789012:cluster/my-cluster
kind: Config
preferences: {}
users:
- name: arn:aws:eks:us-east-1:123456789012:cluster/my-cluster
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --region
      - us-east-1
      - eks
      - get-token
      - --cluster-name
      - my-cluster
      command: aws

The contents of aws-auth-cm.yaml file after I made the changes are

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
          #    - rolearn: <ARN of instance role (not instance profile)>
          #      username: system:node:{{EC2PrivateDNSName}}
          #      groups:
          #        - system:bootstrappers
          #        - system:nodes
    - rolearn: arn:aws:iam::375712918983:role/myAmazonEKSClusterRole
      username: myAmazonEKSClusterRole
      groups:
        - system:masters

Can you please help with this or give some pointers?

Please let me know if you have any questions.

Answer 1

You will want one of 3 things; either:

• assume the arn:aws:iam::123456789012:role/myAmazonEKSClusterRole in a terminal session such that the aws eks get-token run by kubectl will behave correctly
• create an awscli profile that assumes the arn:aws:iam::123456789012:role/myAmazonEKSClusterRole role and update the args: to include [..., "--profile", "whatever-you-call-that-profile",...]
• or assume the role in a terminal, run aws eks get-token, and put that static credential in your kubeconfig since it doesn't seem you need the credential for very long just to update that ConfigMap

For the first one, I mean aws sts assume-role --role-arn arn:aws:iam::123456789012:role/myAmazonEKSClusterRole ... | tee sts-creds.json and then export AWS_ACCESS_KEY_ID= AWS_SECRET_KEY= AWS_SESSION_TOKEN= based on the contents of that json

For the second one, I mean:

$ cat >> $HOME/.aws/config <<FOO
[profile my-cluster]
assume_role = arn:aws:iam::123456789012:role/myAmazonEKSClusterRole
source_profile = whatever
; or credential_source = whatever
FOO

according to this documentation