addMasterRole to eks Blueprints

0

I try to set a masterrole similar to addMasterRole to my eks cluster. For this I use:

const platformTeam = new blueprints.PlatformTeam({
  name: "admin",
  users: [new cdk.aws_iam.ArnPrincipal("arn:aws:iam::********:role/AWSReservedSSO_AdministratorAccess_********")]
});

But I always get the error

11:17:06 PM | CREATE_FAILED        | AWS::IAM::Role                        | teamadminAccessRole924BE173
Resource handler returned message: "Invalid principal in policy: "AWS":"arn:aws:iam::426003470206:role/AWSReservedSSO_AdministratorAccess_bf32112c95830c9
e" (Service: Iam, Status Code: 400, Request ID: 3af5af51-f2ab-4767-bddc-28228eefef84)" (RequestToken: 40aa43ff-0537-0209-a403-5477f07e4104, HandlerErrorC
ode: InvalidRequest)

Is this not the way to use addMasterRole to a cluster like with eks.AwsAuth If not how I can do this with EksBlueprints?

2 Answers
2
Accepted Answer

Hello,

When you enable admin cluster access for a specific role, you should use 'userRoleArn' ranther than 'users', for example:

const adminTeam = new PlatformTeam( {
    name: "second-adminteam", // make sure this is unique within organization
    userRoleArn: `${YOUR_ROLE_ARN}`;
})

or for users:

export class TeamAwesome extends PlatformTeam {
    constructor(app: App) {
        super({
            name: "team-awesome",
            users: [
                new ArnPrincipal(`arn:aws:iam::${YOUR_IAM_ACCOUNT}:user/user1`),  
                new ArnPrincipal(`arn:aws:iam::${YOUR_IAM_ACCOUNT}:user/user2`)
            ]
        });
    }
}

profile pictureAWS
SUPPORT ENGINEER
answered 3 months ago
profile picture
EXPERT
reviewed 3 months ago
1

The approach you're using with EKS Blueprints is close, but there are a few adjustments needed to properly set up master access to your EKS cluster.

In EKS Blueprints, you don't directly use addMasterRole as you would with eks.AwsAuth. Instead, you define teams, including a platform team that has administrative access to the cluster.

The error you're encountering suggests that there might be an issue with the IAM role ARN you're using. Here's how you can modify your code to correctly set up the platform team:

  1. First, ensure that the IAM role ARN you're using is correct and has the necessary permissions.

  2. Then, modify your code to create the platform team like this:

const platformTeam = new blueprints.PlatformTeam({
name: "platform-team",
userRoleArn: "arn:aws:iam::********:role/AWSReservedSSO_AdministratorAccess_********"
});
  1. After defining the platform team, you need to add it to your EKS Blueprint when building the cluster:
blueprints.EksBlueprint.builder()
.addTeam(platformTeam)
// ... other configuration ...
.build(scope, 'my-eks-blueprint');

This approach will create the necessary IAM roles and Kubernetes RBAC configurations to grant the specified IAM role administrative access to your EKS cluster.

Remember to replace the placeholder ARN with your actual IAM role ARN. Also, make sure that the IAM role you're using has the necessary permissions to assume the roles created by EKS Blueprints.

If you're still encountering issues, double-check that the IAM role exists and that you have the correct permissions to reference it in your AWS account.
Sources
Simplify integration of your Amazon EKS cluster with Amazon EKS Blueprints for CDK | Integration & Automation

profile picture
answered 3 months ago
profile picture
EXPERT
reviewed 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions