How to Add IAM User and IAM Role to AWS EKS Cluster?¶
- You can find the source code for this video in my GitHub Repo.
- If you want to create EKS cluster using terraform, you can follow this tutorial.
Add IAM User to EKS Cluster¶
ClusterRolewith read-only access to the Kubernetes cluster and bind it to the
ClusterRoleBinding. Name the file
Apply RBAC policies with kubectl.
Create IAM policy to let users view nodes and workloads for all clusters in the AWS Management Console. Give it a name
We can attach the IAM policy directly to the IAM user or follow the best practice and create an IAM group first. Let's call it
Then, we need an IAM user. Let's create one and call it
developer. We're going to place it in
developersIAM grop with read only access. Don't forget to download credentials, we will use them to configure aws cli.
Now, we need to create local aws profile using
developer's user credentials. To do that simplly add
To map IAM user with Kubernetes RBAC system, we need to modify
aws-authconfigmap. Open the config map and add arn of the IAM user under
Now, we need to switch to the
developeruser. We need to update Kubernetes context using the
developerprofile. Don't forget to update region and the cluster name.
You can verify the Kubernetes context that you use
developerprofile to interact with the EKS cluster.
By now, we have created RBAC policy with read only access and maped it to the IAM
developeruser. Let's see what we can do in our cluster now. You can run
kubectl auth can-i <object>to verify access. First let's check if we can get pods in Kubernetes cluster. The response should be
Then, let's check if we can create pods in the Kuberentes. The response should be
- You can also try to create the pod. You should get
Add IAM Role to EKS Cluster¶
- First of all, let's create IAM policy with admin access to EKS clusters. Give it a name
AmazonEKSAdminPolicy. To view information on the Nodes and Workloads in the AWS Management Console, you need additional IAM permissions, as well as Kubernetes permissions.
eks-adminIAM role and attach
AmazonEKSAdminPolicypolicy that you just created. Select
Another AWS accountand enter your account id.
Optionally, you can describe
eks-adminrole to check who can use it. Potentially, any IAM user can assume this role if they have an appropriate policy in place.
For any user that wants to use
eks-adminIAM role, we need to create an additional
AmazonEKSAssumeEKSAdminPolicypolicy, that allows to assume the role.
To test it, we need another IAM user. Let's create
manageruser and allow it to use
eks-adminIAM role. In this case, just attach
AmazonEKSAssumeEKSAdminPolicydirectly to the user.
The same thing for this user, we need to create a
You can check if the
manageruser can assume the
eks-adminrole by running the following command. If we get credentials back, it means we can use it.
Now, we need to switch back to the user that created the EKS cluster. When you omit the profile, aws will use the
It's a very similar process to add an IAM role. You also need to update the
aws-authconfigmap. In this case, we will use Kubernetes RBAC group
system:mastersthat ships with the cluster.
Finally, to test the IAM role, we need to create an
eks-adminprofile config to assume the role by the
manageruser. You need to add it to
Update Kubernetes context to automatically assume
You can check the context with the following command.
manageruser has admin access to the EKS cluster. The response should be
You can also try to create a pod using the previous command.
Delete IAM policies
Delete IAM roles
Delete IAM groups
Delete IAM users