Convox Community

[RESOLVED] How can I get permission to access the EKS cluster from the AWS console?

I’ve tried signing as the root user, and also a new user with the AdministratorAccess policy. I’m not able to view any Kubernetes objects with either of these users:

The error says:

Your current user or role does not have access to Kubernetes objects on this EKS cluster

This may be due to the current user or role not having Kubernetes RBAC permissions to describe cluster resources or not having an entry in the cluster’s auth config map.

Link: Troubleshooting IAM - Amazon EKS

My IAM user needs this:

  • Has a mapping to a Kubernetes user or group in the aws-auth configmap. For more information about adding IAM users or roles to the aws-auth configmap, see Managing users or IAM roles for your cluster. If the user or role isn’t mapped, the console error may include Unauthorized: Verify you have access to the Kubernetes cluster

I found this file in convox/rack, which seems to set up aws-auth for k8s: rack/cluster.yml.tmpl at 51bd19bdbe5905c146a0686e4f6c33dbf022a696 · convox/rack · GitHub

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - rolearn: {{.NodesRole}}
      username: system:node:{{"{{"}}EC2PrivateDNSName{{"}}"}}
      groups:
        - system:bootstrappers
        - system:nodes
  {{ with .AdminUser }}
  mapUsers: |
    - userarn: {{.}}
      username: admin
      groups:
        - system:masters
  {{ end }}

Another docs page: Managing users or IAM roles for your cluster - Amazon EKS

I’m a bit stuck now, and I also don’t know how to set up kubectl to access the k8s cluster. How can I fix my authentication so that I have permission to view EKS?

I found the Direct Kubernetes Access page in the docs: Convox Docs

The Configure kubectl to Point at Your Rack section was really helpful, so thanks for this!

These instructions worked, and now I can view namespaces and pods, etc.:

$ kubectl get namespace
NAME                 STATUS   AGE
cert-manager         Active   3h5m
default              Active   3h11m
ds-test3-myapp   Active   3h
ds-test3-system      Active   3h5m
kube-node-lease      Active   3h11m
kube-public          Active   3h11m
kube-system          Active   3h11m

$ kubectl get pods --namespace=ds-test3-myapp
NAME                                 READY   STATUS    RESTARTS   AGE
resource-database-7b9cb5ddb5-vznrb   1/1     Running   0          25m
resource-redis-5fc7577b9d-h52tv      1/1     Running   0          25m
web-97898fd59-72n7c                  1/1     Running   0          36m
web-97898fd59-dvcxm                  1/1     Running   0          36m
web-97898fd59-j2dlp                  1/1     Running   0          14m
web-97898fd59-vv77m                  1/1     Running   0          15m
worker-84c997fb55-2mmxs              1/1     Running   0          14m
worker-84c997fb55-wczpb              1/1     Running   0          25m
worker-84c997fb55-zfx85              1/1     Running   0          36m

Woohoo, I figured it out!

After I got kubectl working, I could follow the “To add an IAM user or role to an Amazon EKS cluster” instructions on this page: Managing users or IAM roles for your cluster - Amazon EKS

Tip: Run export KUBE_EDITOR=vim to edit the config in vim.

$ export KUBE_EDITOR=vim
$ kubectl edit -n kube-system configmap/aws-auth

This opened vim with the k8s auth config. I added the mapUsers section to add an “admin” user to the system:masters group:

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::1234123412341234:role/ds-test3-nodes
      username: system:node:{{EC2PrivateDNSName}}
  mapUsers: |
    - userarn: arn:aws:iam::1234123412341234:user/nathan
      username: admin
      groups:
        - system:masters
kind: ConfigMap
metadata:
  creationTimestamp: "2021-09-16T22:30:37Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "859"
  selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
  uid: *****

After I saved the file and quit vim, I was able to view the k8s resources for the EKS cluster: