How to add other IAM users to provide access to AWS EKS

How to add other IAM users to provide access to AWS EKS

After deploying a stack, if someone tries to access AWS EKS using kubectl, (s)he will get the following authorization error:
      "error: You must be logged in to the server (Unauthorized)."

This happens when the Amazon EKS cluster is created by an IAM user or role that's different from the one used by aws-iam-authenticator.
For example, this happens when user A deploys a stack, and user B downloads kubeconfig of the deployed stack and tries to access the EKS using kubectl.

Initially, only the creator of the Amazon EKS cluster has system:masters permissions to configure the cluster. To extend system:masters permissions to other users and roles, you must add the aws-auth ConfigMap to the configuration of the Amazon EKS cluster. The ConfigMap allows other IAM entities, such as users and roles, to access the Amazon EKS cluster.

To resolve this issue, you need to add other IAM users to the EKS cluster as described in the AWS document.
Follow the section of the AWS document:
  1. If the AWS component of the stack is configured with IAM Access Keys, follow the section of Add designated_user to the ConfigMap if cluster_creator is an IAM user.
  2. If the AWS component of the stack is configured with IAM Role, follow the section of Add designated_user to the ConfigMap if the cluster_creator is an IAM role.
    Note: To allow other IAM users to assume the role of cluster_creator using "aws sts assume-role," the assumed role permission must be granted to the IAM users first. See the detail here for granting an IAM user to assume a role.


    • Related Articles

    • How to add AWS IAM Access Keys to snapblocs

      When deploying a snapblocs stack, snapblocs provisions the stack within the customer’s AWS account. The stack is integrated with Amazon EKS for Kubernetes clusters using AWS EC2 instances and other AWS resources. snapblocs manages the lifecycle of ...
    • How to add AWS IAM Role to snapblocs

      When deploying a snapblocs stack, snapblocs provisions the stack within the customer's AWS account. The stack is integrated with Amazon EKS for Kubernetes clusters using AWS EC2 instances and other AWS resources. snapblocs manages the lifecycle of ...
    • How to Create AWS IAM Access Keys

      AWS IAM Access Key ID and Secret Access Key IAM Access Keys allows snapblocs to securely access your Amazon AWS environment for deploying and collecting statistics of your platform stacks, etc.  Your Access Key values are encrypted and stored on the ...
    • AWS Provider Access Method

      Add an AWS provider access method to snapblocs before configuring or deploying a stack. When configuring a stack, snapblocs will retrieve some AWS account information such as available VPCs, Subnets, SSH Key Pairs, etc. This information is ...
    • How to Create AWS IAM Role

      IAM Role allows snapblocs to securely access your Amazon AWS environment for deploying and collecting statistics of your platform stacks, etc.  Your IAM Role data is encrypted and stored on the secured AWS Systems Manager Parameter Store (not on the ...