Unable to connect to role-based EKS cluster w/ kubectl
I'm starting to set up brand new infrastructure, and I'm unable to use kubectl to connect to a new EKS cluster.
As my root user I created an EKS cluster and a node group, each with their own roles as described here and here .
The EKS's auth config map specifies the role as expected:
I've updated the trusted entities for the role:
And I've updated the user's policies to assume the role:
I've got aws cli installed and I've created an access key for the user, however when I update the kubeconfig I get a nondescript unauthorized error
Based off of the debugging instructions here, it looks like the EKS cluster above already has a rolearn that should match the role that I've created. Is it required that I also add users explicitly to the configmap if they weren't the user that created the cluster?
- Newest
- Most votes
- Most comments
The error may be related to the path of the kubeconfig. Can u please check the path of the kubeconfig. and if this seems to be correct then This could be because the cluster was created with credentials for one IAM principal and kubectl is using credentials for a different IAM principal. To get more information about this refer to this: Unauthorized or access denied (kubectl).
Relevant content
- Accepted Answerasked 2 years ago
- asked 2 years ago
AWS OFFICIALUpdated a month ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Hi, it's not the kubeconfig path - I've used kubectl with other providers for a while no w/ no issues.
The troubleshooting page that you linked recommends creating a kubeconfig using a role. I attempted this (my last screenshot) and it still didn't authenticate. I've fixed it in the short term by adding my low priv user to the cluster directly with eksctl and a userarn mapUsers entry, but my question is can I authenticate directly with the role as the docs imply.