Grant federated users accessing kubernetes resources in EKS console

Though you're administrator of your AWS account, you probably see below warnings when viewing your cluster in EKS console.

Your current user or role does not have access to Kubernetes objects on this EKS cluster.

It's caused by the Kuberentes has itself RBAC authorization. And AWS uses IAM to grant permissions to users. You have to map your IAM user or role to K8S RBAC authorization to grant the permissions to access K8S resources in EKS cluster.

Above documentation demonstrate how adding IAM roles/users to EKS cluster to grant the roles/users to access K8S resources. However the documentation is not clear to how adding federated users to EKS cluser.

I'm facing two scenarios of federated AWS users to access K8S resources in EKS console,

  1. Use corp SSO to access internal system, then logging into AWS account via assuming existing role of the AWS account
  2. Use tool like AWS Vault/Alfred workflow to login AWS console via ak/sk of an IAM user

Finally turn out below configuration to grant both federated users to access K8S resources in EKS console,

 1apiVersion: v1
 2data:
 3  mapRoles: |
 4    - groups:
 5      - system:bootstrappers
 6      - system:nodes
 7      rolearn: arn:aws:iam::123456789012:role/cluster-nodegroup-n-NodeInstanceRole-1OQT1WT84WVS8 # created by eksctl when bootrapping cluster
 8      username: system:node:{{EC2PrivateDNSName}}
 9    - groups:
10        - eks-console-dashboard-full-access-group
11      rolearn: arn:aws:iam::123456789012:role/Admin # granting the federated user via assuming role
12      username: Admin/kane    
13  mapUsers: |
14    - userarn: arn:aws:sts::123456789012:federated-user/kane # granting the federated user via aws-vault
15      username: ops-user
16      groups:
17        - eks-console-dashboard-full-access-group    
comments powered by Disqus