How do I resolve access issues in my Amazon EKS clusters?

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Use Amazon EKS access entries to grant access to the Kubernetes API to AWS Identity and Access Management (IAM) users and roles.

Configure IAM principal permissions

The IAM principal must have the following permissions for your cluster:

• CreateAccessEntry
• ListAccessEntries
• DescribeAccessEntry
• DeleteAccessEntry
• UpdateAccessEntry
• ListAccessPolicies
• AssociateAccessPolicy
• DisassociateAccessPolicy

For more information about Amazon EKS permissions, see Actions defined by Amazon Elastic Kubernetes Service.

Configure access policy permissions

The access policy sets the level of access that allows a user to access the Kubernetes API. Use the following policies to create access entries:

• AmazonEKSAdminPolicy
• AmazonEKSClusterAdminPolicy
• AmazonEKSAdminViewPolicy
• AmazonEKSEditPolicy
• AmazonEKSViewPolicy

When you create access entries with the preceding policies, you grant access to a namespace for Kubernetes cluster level permissions.

Note: You can't modify the contents of an access policy, and you can't create your own access policies.

Grant IAM user access to your Amazon EKS cluster

Change the authentication mode

Important: After you activate the access entry method, you can't turn it off again.

To use access entries, update the authentication mode for the Amazon EKS cluster to either API or API_AND_CONFIG_MAP. Run the following update-cluster-config AWS CLI command:

aws eks update-cluster-config \ 
   --name my-cluster \ 
   --access-config authenticationMode=API_AND_CONFIG_MAP

Note: Replace my-cluster with your cluster name. To permanently deactivate the ConfigMap method, replace API_AND_CONFIG_MAP with API.

Create an access entry for the IAM entity and attach the access policy

Provide cluster administrator access to your Amazon EKS cluster. First, run the following create-access-entry command to create an access entry for your IAM user or role:

aws eks create-access-entry --cluster-name my-cluster \
  --principal-arn arn:aws:iam::111122223333:user/example-user

Note: Replace my-cluster with your cluster name, and arn:aws:iam::111122223333:user/example-user with your IAM role or user's ARN.

Then, run the following associate-access-policy command to associate the AmazonEKSClusterAdminPolicy to the IAM user or role:

aws eks associate-access-policy --cluster-name my-cluster\
  --principal-arn arn:aws:iam::111122223333:user/example-user \
  --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy \
  --access-scope type=cluster

Note: Replace my-cluster with your cluster name, and arn:aws:iam::111122223333:user/example-user with your IAM role or user's ARN.

To provide the IAM user or role with admin access to a specific namespace, run the following associate-access-policy command:

aws eks associate-access-policy --cluster-name my-cluster\
  --principal-arn arn:aws:iam::111122223333:role/example-role \
  --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminPolicy \ 
  --access-scope type=namespace,namespaces=test*

Note: Replace my-cluster with your cluster name, and arn:aws:iam::111122223333:role/example-role with your IAM role or user's ARN. Also, replace test with your namespace name.

To use access entries with Kubernetes Role-Based Access Control (RBAC), run the following create-access-entry command:

aws eks create-access-entry --cluster-name my-cluster \
  --principal-arn arn:aws:iam::111122223333:role/example-role-2 \
  --kubernetes-groups viewers

Note: Replace my-cluster with your cluster name, and arn:aws:iam::111122223333:user/example-role-2 with your IAM role or user's ARN. Replace viewers with the name of the group specified in the Kubernetes RoleBinding or ClusterRoleBinding object on your cluster.

Confirm your IAM entity credentials

To check the IAM user or role credentials being used on the AWS CLI, run the following get-caller-identity command:

aws sts get-caller-identity

The command output must return the IAM user or role that you created an access entry for. If you receive a different IAM role or user, then make sure that you correctly configured the role or user's credentials.

Create Kubeconfig for your IAM entity

To create the Kubeconfig for your IAM role or user, run the following update-kubeconfig command:

aws eks update-kubeconfig --name my-cluster --region aws-region

Note: Replace my-cluster with your cluster name, and aws-region with your AWS Region.

Check your Kubernetes access

Confirm that your IAM entity is authenticated and that you can access your Amazon EKS cluster resources.

To check whether you can create pods in any namespace, run the following command:

kubectl auth can-i create pods --all-namespaces

To check whether you can list deployments in a specific namespace, run the following command:

kubectl auth can-i list deployments.apps -n test

Note: Replace test with the name of your namespace.