How do I resolve the error "You must be logged in to the server (Unauthorized)" when I connect to the Amazon EKS API server?

10 minute read

I use kubectl commands to connect to the Amazon Elastic Kubernetes Service (Amazon EKS) API server. I received the message "error: You must be logged in to the server (Unauthorized)".

Short description

You get this error when the AWS Identity and Access Management (IAM) entity that's configured in kubectl isn't authenticated by Amazon EKS. You are authenticated and authorized to access your Amazon EKS cluster based on the IAM entity (user or role) that you use. This error is usually caused by one of the following configurations:

You configured the kubectl tool to use your IAM user or role.
You mapped your IAM entity to the aws-auth ConfigMap.

To resolve this issue, complete the steps in one of the following sections based on your use case:

You're the cluster creator
You're not the cluster creator
Use access entries

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

You're the cluster creator

If your IAM entity was used to create the Amazon EKS cluster, then you're the cluster creator. To resolve the error as the cluster creator, complete the following steps:

In Amazon CloudWatch Log Insights, select the log group for your Amazon EKS cluster. For example, /aws/eks/my-cluster/cluster. Then, run the following query:

fields @logstream, @timestamp, @message| sort @timestamp desc
| filter @logStream like /authenticator/
| filter @message like "username=kubernetes-admin"
| limit 50

Note: Turn on Amazon EKS authenticator logs.
The query returns the IAM entity that's mapped as the cluster creator:

@messagetime="2022-05-26T18:55:30Z" level=info msg="access granted" arn="arn:aws:iam::123456789000:user/testuser" client="127.0.0.1:57586" groups="[system:masters]" method=POST path=/authenticate uid="aws-iam-authenticator:123456789000:AROAFFXXXXXXXXXX" username=kubernetes-admin

Review the cluster creator IAM entity for the AWS CLI. To see if the IAM entity is configured for AWS CLI in your shell environment, run the following command:

$ aws sts get-caller-identity

You can also use a specific profile to run this command:

$ aws sts get-caller-identity --profile MY-PROFILE

The output returns the Amazon Resource Name (ARN) of the IAM entity that's configured for AWS CLI.
Example:

{
    "UserId": "XXXXXXXXXXXXXXXXXXXXX",
    "Account": "XXXXXXXXXXXX",
    "Arn": "arn:aws:iam::XXXXXXXXXXXX:user/testuser"
}

Confirm that the IAM entity that's returned matches the cluster creator IAM entity. If the returned IAM entity isn't the cluster creator, then update the AWS CLI configuration to use the cluster creator IAM entity.

To update or generate the kubeconfig file, run the following command:

$ aws eks update-kubeconfig --name eks-cluster-name --region aws-region

Note: Replace eks-cluster-name with the name of your cluster. Replace aws-region with the name of your AWS Region.
To specify an AWS CLI profile for the kubeconfig file, run the following command:

$ aws eks update-kubeconfig --name eks-cluster-name --region aws-region --profile my-profile

Note: Replace eks-cluster-name with the name of your cluster. Replace aws-region with the name of your Region. Replace my-profile with the name of your profile.

To confirm that the kubeconfig file is updated, run the following command:

$ kubectl config view --minify

To confirm that your IAM entity is authenticated and that you can access your EKS cluster, run the following command:

$ kubectl get svc

Example output:

NAME            TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
kubernetes      ClusterIP   10.100.0.1     <none>        443/TCP   77d

You're not the cluster creator

If your IAM entity wasn't used to create the cluster, then you're not the cluster creator. In this case, complete the following steps to map your IAM entity to the aws-auth ConfigMap to allow access to the cluster:

Review the cluster creator IAM entity for the AWS CLI. To see the IAM entity that's configured for AWS CLI in your shell environment, run the following command:
```
$ aws sts get-caller-identity
```
You can also use a specific profile to run this command:
```
$ aws sts get-caller-identity --profile my-profile
```
The output returns the ARN of the IAM entity that's configured for AWS CLI.
Example:
```
{
    "UserId": "XXXXXXXXXXXXXXXXXXXXX",
    "Account": "XXXXXXXXXXXX",
    "Arn": "arn:aws:iam::XXXXXXXXXXXX:user/testuser"
}
```
Confirm that the IAM entity that's returned matches the cluster creator IAM entity. If the returned IAM entity isn't the cluster creator, then update the AWS CLI configuration to use the cluster creator IAM entity. Then, use kubectl to retry to access your cluster. If you continue to have the issue, then continue to the next step.
If the returned IAM entity isn't the cluster creator, then add your entity to the aws-auth ConfigMap to allow the entity to access the cluster. Because only the cluster admin can modify aws-auth ConfigMap, complete one of the following tasks:
To use the cluster creator IAM entity to access the cluster, complete the steps in the You're cluster creator section.
Or, ask the cluster admin to perform this action.

To check if your IAM entity is in the aws-auth ConfigMap, run the following command:

eksctl get iamidentitymapping --cluster cluster-name

-or-

kubectl describe configmap aws-auth -n kube-system

If your IAM entity is in the aws-auth ConfigMap, then continue to the next step. If your IAM entity isn't in the aws-auth ConfigMap, then run the following command to automatically map your IAM entity:

eksctl create iamidentitymapping \
    --cluster $CLUSTER-NAME \
    --region $REGION \
    --arn arn:aws:iam::XXXXXXXXXXXX:user/testuser \
    --group system:masters \
    --no-duplicate-arns \
    --username admin-user1

Or, edit the aws-auth ConfigMap to manually map your IAM entity:

$ kubectl edit configmap aws-auth -namespace kube-system

To add an IAM entity to the aws-auth ConfigMap, add the IAM user or role ARN to mapUsers.
IAM user example:

mapUsers: |
  - userarn: arn:aws:iam::XXXXXXXXXXXX:user/testuser
    username: testuser
    groups:
      - system:masters

IAM role Example:

mapRoles: |
  - rolearn: arn:aws:iam::XXXXXXXXXXXX:role/testrole
    username: testrole
    groups:
      - system:masters

Important:
The IAM role must be mapped without the path. For more information about rolearn path requirements, see aws-auth ConfigMap does not grant access to the cluster section.
To specify rolearn for an AWS IAM Identity Center IAM role, remove the path "/aws-reserved/sso.amazonaws.com/REGION" from the Role ARN. Otherwise, the entry in the ConfigMap can't authorize you as a valid user.
The system:masters group allows superuser access to perform any action on any resource. For more information, see Default roles and role bindings on the Kubernetes website. To restrict access for this user, create an Amazon EKS role and role binding resource. For more information, see Required permissions.

Run the following command to update or generate the kubeconfig file. Make sure that the AWS CLI is configured with your IAM entity.

$ aws eks update-kubeconfig --name eks-cluster-name --region aws-region

Note: Replace eks-cluster-name with the name of your cluster. Replace aws-region with the name of your Region.
You can also use a specific profile to run this command:

$ aws eks update-kubeconfig --name eks-cluster-name --region aws-region --profile my-profile

Note: Replace eks-cluster-name with the name of your cluster. Replace aws-region with the name of your Region. Replace my-profile with the name of your profile.

To confirm that the kubeconfig file is updated, run the following command:

$ kubectl config view --minify

To confirm that your IAM user or role is authenticated, access the cluster again. For example, you can run the following command to confirm that the error is resolved:

$ kubectl get svc

Example output:

NAME            TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
kubernetes      ClusterIP   10.100.0.1     <none>        443/TCP   77d

Use access entries to regain access to the cluster

Use the CreateAccessEntry API to provide or restore access to your Amazon EKS cluster. For more information, see How can I use the Amazon EKS access entry API to recover access to an EKS cluster?

Troubleshooting

When you run a kubectl command, a request is sent to the Amazon EKS cluster API server. Then, the Amazon EKS authenticator tries to authenticate this request. If the Amazon EKS authenticator can't authenticate the request, then check the EKS authenticator logs in CloudWatch. Use the following troubleshooting tips to identify the issue.

Access your EKS authenticator logs

Turn on logging for your Amazon EKS cluster.
Open CloudWatch Log Insights.
Select the log group for your cluster. Example: "/aws/eks/example-cluster/cluster".

Run the following query:

fields @timestamp, @message| filter @logStream like /authenticator/
| sort @timestamp desc
| limit 1000

To identify log lines for the same time interval when you got the error, run kubectl commands.

Review your EKS authenticator logs

Based on the cause of the error, complete the following tasks:

If the issue is from the use of an incorrect IAM entity for kubectl, then review the kubectl kubeconfig and AWS CLI configuration. Make sure that you use the correct IAM entity. In the following output example, the IAM entity that kubectl used can't be validated. Review the IAM entity that kubectl uses and make sure that the entity exists in IAM and the entity's programmatic access is turned on.
Example output:

time="2022-12-26T20:46:48Z" level=warning msg="access denied" client="127.0.0.1:43440" error="sts getCallerIdentity failed: error from AWS (expected 200, got 403). Body: {\"Error\":{\"Code\":\"InvalidClientTokenId\",\"Message\":\"The security token included in the request is invalid.\",\"Type\":\"Sender\"},\"RequestId\":\"a9068247-f1ab-47ef-b1b1-cda46a27be0e\"}" method=POST path=/authenticate

If the issue because your IAM entity isn't mapped or is incorrectly mapped in aws-auth ConfigMap, then review the aws-auth ConfigMap. Make sure that the IAM entity is correctly mapped and meets the requirements that are listed in the You're not cluster creator section. For incorrectly mapped or missing IAM entities, the EKS authenticator logs look similar to the following output example:

time="2022-12-28T15:37:19Z" level=warning msg="access denied" arn="arn:aws:iam::XXXXXXXXXX:role/admin-test-role" client="127.0.0.1:33384" error="ARN is not mapped" method=POST path=/authenticate

If the aws-auth ConfigMap was updated and you lost access to the cluster, then use the cluster creator IAM entity to access the cluster. Because the cluster creator doesn't need to be mapped in the aws-auth ConfigMap, use this IAM entity to access the cluster.
If the cluster creator IAM entity was deleted, then recreate the same IAM entity with the same naming convention. Then, this recreated cluster creator IAM entity can have the same ARN as the IAM entity. Then, complete the steps in the You're the cluster creator section to use the IAM entity to access the cluster.
If the cluster creator is an IAM role that was created for an SSO user that was removed, then you can't recreate this IAM role. In this case, reach out to AWS Support for assistance.

Related information

How do I provide access to other IAM users and roles after cluster creation in Amazon EKS?

Using RBAC authorization on the Kubernetes website

Grant IAM users access to Kubernetes with EKS access entries

EKS Access Entries on the eksctl website

Topics

Containers

Related videos

Watch Ruba's video to learn more (3:52)

AWS OFFICIALUpdated 7 months ago

10 Comments

I had this problem and, eventually, I figured out it had to do with the CLI. I thought it was a bug but it seems that it's expected behavior. (I built the EKS cluster using Terraform.)

Some text on this page helped me figure it out: https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html

You can specify an IAM role ARN with the --role-arn option to use for authentication when you issue kubectl commands. Otherwise, the IAM principal in your default AWS CLI or SDK credential chain is used. You can view your default AWS CLI or SDK identity by running the aws sts get-caller-identity command.

Specifically, it's this sentence: Otherwise, the IAM principal in your default AWS CLI or SDK credential chain is used.

I have several profiles configured for the AWS CLI. The only profile used is the default one. The others are ignored.

My fix was to create and export two environmental variables with the corresponding information:

aws_access_key_id

and

aws_secret_access_key

After I did this, things worked as expected.

Stephen Cole

replied 2 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

EXPERT

AWS Official

replied 2 years ago

I had this issue and created a working example of how to update the automatically created aws-auth config map for an existing EKS cluster using terraform: https://github.com/jamiemo/k8s-eks-aws-auth-configmap

jamiemo

replied a year ago

If you created a cluster, and you are using the same IAM user, and you still get errors like "error: You must be logged in to the server (the server has asked for the client to provide credentials)", "Identity is not mapped", "Your current IAM principal doesn't have access to Kubernetes objects on this cluster. This might be due to the current principal not having an IAM access entry with permissions to access the cluster." from CLI (kubectl), CloudWatch, and Console respectively, then you have to go to the cluster from the AWS console, access tab, create access entry, select the ARN of your principal (you can see it from CLI with command aws sts get-caller-identity), add access policy, select AmazonEKSAdminPolicy, create and go back to the access tab, click on the access entry you added for your user ARN, add access policy, select AmazonEKSClusterAdminPolicy and try running the kubectl commands again.

Nestor Urquiza

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

EXPERT

AWS Official

replied a year ago

is the identity mapping configuration supporting wildcards on aws-auth? like:

mapRoles: |
  - rolearn: arn:aws:iam::XXXXXXXXXXXX:role/testrole-*
    username: testrole
    groups:
      - system:masters

Ben

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

EXPERT

AWS Official

replied a year ago

When running this command:

kubectl edit configmap aws-auth --namespace kube-system

You receive this error now: Error from server (NotFound): configmaps "aws-auth" not found

A quick search brings up this AWS documentation link stating that "The aws-auth ConfigMap is deprecated. The reccomended method to manage access to Kubernetes APIs is Access Entries."

So unfortunately, it seems like most of this article is now out-of-date.

grahamschuckman

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

MODERATOR

AWS Official

replied a year ago

I have created eks and continuously trying to connect from windows cli, but always throwing error. I am able to check aws resources from cli also able to see cluster and nodegroup with command like eksctl get iamidentitymapping --cluster myeks_cluster1

but getting issue with kubectl E0928 20:24:40.071813 7228 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: the server has asked for the client to provide credentials"

C:\Windows\System32>eksctl get iamidentitymapping --cluster myeks_cluster1 Error: getting auth ConfigMap: Unauthorized

C:\Windows\System32>kubectl version Client Version: v1.31.0-eks-a737599 Kustomize Version: v5.4.2 error: You must be logged in to the server (the server has asked for the client to provide credentials)

C:\Windows\System32>kubectl get pods -v=10

"metadata": {}, "status": "Failure", "message": "the server has asked for the client to provide credentials", "reason": "Unauthorized", "details": { "causes": [ { "reason": "UnexpectedServerResponse", "message": "unknown" } ] }, "code": 401 }] error: You must be logged in to the server (the server has asked for the client to provide credentials)

pls help!

Nick

replied 7 months ago

Relevant content

Getting error while connecting EKS cluster error: You must be logged in to the server (Unauthorized)
Accepted Answer
rePost-User-1891481
asked 2 years ago
kubectl error You must be logged in to the server (Unauthorized) when accessing EKS cluster
Accepted Answer
Sam
asked 3 years ago
Unable to access EKS cluster from EC2 instance, despite being able to access other clusters. "couldn't get current server API group list: the server has asked for the client to provide credentials"
questiontino
asked a year ago
AWS Grafana: How to see the server logs
AndreScolab
asked 2 years ago
How I can resolve the error 403?
Accepted Answer
Italo
asked 2 years ago
How do I resolve "error: You must be logged in to the server (Unauthorized)" errors when connecting to an Amazon EKS cluster from CodeBuild?
AWS OFFICIALUpdated 3 years ago
How do I resolve the error "MySQL server has gone away" when connecting to my Amazon RDS MySQL DB instance?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot the "InvalidIdentityToken" error when I use the Amazon EKS IAM role to access the service account?
AWS OFFICIALUpdated a year ago
How can I use the Amazon EKS access entry API to recover access to an EKS cluster?
AWS OFFICIALUpdated a year ago
Why do SSL/TLS negotiation errors occur when connecting to an Application Load Balancer over HTTPS, and how can I identify the responsible client IP?
SUPPORT ENGINEER
Sarah_P
published a month ago