How do I resolve the "Your current user or role does not have access to Kubernetes objects on this EKS cluster" error in Amazon EKS?

Short description

You might receive this error when you use the AWS Management Console with an AWS Identity and Access Management (IAM) user or role. The error indicates that the IAM user or role lacks the required RBAC (from the Kubernetes website) permissions to access Kubernetes API. To view Kubernetes resources on the AWS Management Console, your AWS IAM user or role must map to aws-auth ConfigMap in your Amazon EKS cluster.

When you create an Amazon EKS cluster, your IAM user or role is automatically granted system:masters permissions in the cluster's RBAC configuration. This lets you view Kubernetes resources through the Amazon EKS console. It also lets you edit the aws-auth ConfigMap within Kubernetes, and grant additional AWS users or roles the ability to interact with the cluster.

Two different authorization systems are in use. The AWS Management Console uses IAM. The EKS cluster uses the Kubernetes RBAC system (from the Kubernetes website). The cluster’s aws-auth ConfigMap associates IAM identities (users or roles) with cluster RBAC identities. This means that the aws-auth ConfigMap associates IAM identities with Kubernetes identities.

Resolution

Prerequisites

Before you begin, collect the following information.

Non-admin user or role

If you aren't a cluster admin IAM user or role and require visibility on the Amazon EKS console, then complete the following steps:

1.    Get the IAM Identity Amazon Resource Name (ARN) of the AWS Management Console user.

If it's an IAM role, then use the following ARN format:

arn:aws:iam::111122223333:role/example

Important: Don't use the following format:

arn:aws:iam::111122223333:role/my-team/developers/example

2.    Provide the ARN to your cluster admin, and request that the admin add you to the aws-auth ConfigMap.

Note: See the Identify the IAM identity ARN of the AWS Management Console user section for steps on how to access your ARN.

Cluster creator or cluster admin user or role

If you're the cluster creator or cluster admin, then use the kubectl tool or the eksctl tool to manage the aws-auth ConfigMap.

Note: By default, the system:masters group is bound to the clusterrole that's named cluster-admin. This clusterrole uses the wildcard(“*”) for Resources and Verbs in its PolicyRule. This means that any user that's assigned to the system:masters group has full access to all the Kubernetes resources within the cluster.

See the Identify the cluster creator section for detailed steps on how cluster creators and cluster admins can identify their admin status.

Identify the IAM Identity ARN of the AWS Management Console user

Identify the IAM user or role that you're using to access the console. This might be different from the identity that you use with AWS Command Line Interface (AWS CLI). Confirm that the identified IAM user or role has permissions to view nodes and workloads for all clusters in the AWS Management Console. Then, get the IAM identity's ARN. Use one of the following options to access the ARN.

Use the AWS CLI

If you have AWS CLI access to the IAM user or role, then run the following command:

aws sts get-caller-identity --query Arn

Launch CloudShell

If you don't have AWS CLI access, then run the following command:

aws sts get-caller-identity --query Arn

The output is similar to the following:

"arn:aws:iam::111122223333:role/testrole"

-or-

"arn:aws:iam::111122223333:user/testuser"

Note:

• If it's an IAM role ARN, then make sure that the format is similar to the ARN format that you get from the Prerequisites section.
• If the ARN includes assumed-role, then you must get the ARN of the role. For example, the assumed role ARN of arn:aws:sts::123456:assumed-role/MyRole/aadams is associated with the role ARN arn:aws:sts::123456:role/MyRole. You can verify this value in the IAM console.

Identify the cluster creator

To find the cluster creator or admin role with primary permissions to configure your cluster, search for the CreateCluster API call in AWS CloudTrail. Then, check the userIdentity section of the API call.

Tip: If you find the cluster creator name in CloudTrail but it's deleted, then recreate a new IAM user or role with the same name. Because this new IAM entity has the same ARN as the original cluster creator, it inherits the same admin access to the cluster.

Note: CloudTrail provides only 90 days of history.

Add new IAM user or role to the Kubernetes RBAC, using kubectl or eksctl

Before you choose the kubectl or eksctl tool to edit the aws-auth ConfigMap, make sure that you complete step 1. Then, follow steps 2-4 to edit with kubectl. To edit with eksctl, proceed to step 5.

1.    After you identify the cluster creator or admin, configure AWS CLI to use the cluster creator IAM. See Configuration basics for more information.

To verify that AWS CLI is correctly configured with the IAM entity, run the following command:

$ aws sts get-caller-identity

The output returns the ARN of the IAM user or role. For example:

{
    "UserId": "XXXXXXXXXXXXXXXXXXXXX",
    "Account": "XXXXXXXXXXXX",
    "Arn": "arn:aws:iam::XXXXXXXXXXXX:user/testuser"
}

Note: If you receive errors when running the CLI commands, make sure that you're using the most recent version of AWS CLI.

2.     To modify the aws-auth ConfigMap with kubectl, you must have access to the cluster. Run the following kubectl command:

$ kubectl edit configmap aws-auth -n kube-system

The console shows the current configMap.

If you can't connect to the cluster, then try updating your kubeconfig file. Run the file with an IAM identity that has access to the cluster. The identity that created the cluster always has cluster access.

aws eks update-kubeconfig --region region_code --name my_cluster

Note: Replace region_code with your EKS cluster AWS Region code and my_cluster with your EKS cluster name.

The kubectl commands must connect to the EKS server endpoint. If the API server endpoint is public, then you must have internet access to connect to the endpoint. If the API server endpoint is private, then you must connect to the EKS server endpoint from within the VPC where the EKS cluster is running.

3.    To edit the aws-auth ConfigMap in the text editor as the cluster creator or admin, run the following command:

$ kubectl edit configmap aws-auth -n kube-system

4.   Add an IAM user or role:

mapUsers: |
  - userarn: arn:aws:iam::XXXXXXXXXXXX:user/testuser
    username: testuser
    groups:
    - system:bootstrappers
    - system:nodes

-or-

Add the IAM role to mapRoles. For example:

mapRoles: |
  - rolearn: arn:aws:iam::XXXXXXXXXXXX:role/testrole
    username: testrole    
    groups:
    - system:bootstrappers
    - system:nodes

Consider the following information:

• system:masters allows a superuser access to perform any action on any resource. This isn't a best practice for production environments.
• It’s a best practice to minimize granted permissions. Consider creating a role with access to only a specific namespace. See Using RBAC Authorization on the Kubernetes website for information. Also, see Required permissions, and review the View Kubernetes resources in a specific namespace section for an example on the Amazon EKS console’s restricted access.

5.    The eksctl tool lets you update the aws-auth ConfigMap with the following command:

eksctl create iamidentitymapping --cluster your_cluster_Name --region=your_region --arn YOUR_IAM_ARN <arn:aws:iam::123456:role testing=""> --group system:masters --username admin</arn:aws:iam::123456:role>

Note: Replace your_cluster_Name with your EKS cluster name, your_region with your EKS cluster Region, and YOUR_IAM_ARN with your IAM role or use ARN.

Verify access to your Amazon EKS cluster

1.    Open the Amazon EKS console.

2.    In the Amazon EKS section the navigation pane, choose Clusters.

3.    Choose your cluster.

4.    Check the Overview and Workloads tabs for errors.

If you configured for a specific namespace, then you see the following error message in the Amazon EKS console:

Error loading Deployments
deployments.apps is forbidden: User "xxxxxx" cannot list resource "deployments" in API group "apps" at the cluster scope or in the namespace "xxxxxxx"

The error doesn't appear for the specific namespace.

To troubleshoot error messages, see Can't see Nodes on the Compute tab or anything on the Resources tab and you receive an error in the AWS Management Console.

---