Share EKS Cluster¶
This guide will walk you through granting other users access to your EKS cluster.
Overview
What You’ll Need¶
- An existing EKS cluster.
- The account ID of your AWS account.
- The name of the IAM user or role you want to grant access to.
Procedure¶
Edit the
aws-auth
ConfigMap in thekube-system
namespace:root@rok-tools:~# kubectl edit configmap aws-auth -n kube-systemAdd an entry under the data field for each IAM user or IAM role you wish to grant access to. Choose one of the following options based on whether you want to grant access to a user or an IAM role.
IAM user
IAM role
data: mapUsers: | - userarn: arn:aws:iam::<AWS_ACCOUNT_ID>:user/<AWS_IAM_USER> username: <AWS_IAM_USER> groups: - system:mastersReplace
<AWS_ACCOUNT_ID>
with the account ID of the user you wish to grant access to your clsuter and<AWS_IAM_USER>
with their username.data: mapRoles: | - rolearn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/<AWS_IAM_ROLE> username: system:node:{{EC2PrivateDNSName}} groups: - system:mastersReplace
<AWS_ACCOUNT_ID>
with the account ID of the IAM role you wish to grant access to your clsuter and<AWS_IAM_ROLE>
with the name of the role.Note
If the
aws-auth
ConfigMap does not exist in your cluster, there is an example one in your GitOps repository underrok/eks/aws-auth.yaml
that you can edit and apply directly.See also
- Official docs on sharing an EKS cluster.
Ensure that the user has sufficient permissions on EKS resources.
Note
You can give the necessary permissions to the user by creting a new group with the
AmazonEKSAdminPolicy
, for example, and adding the user to the group.Ask the user to follow the Configure AWS CLI guide so that they can access AWS resources with
aws
.Ask the user to follow the Access EKS Cluster guide so that they can access Kubernetes with
kubectl
.Important
In case the Kubernetes API server is firewalled ask the user to connect from a trusted source, for example, via a trusted VPN.
What’s Next¶
Check out the rest of the maintenance operations that you can perform on your cluster.