DEV Community

Cover image for EKS Cluster CONSOLE CREDENTIALS
🚀 Vu Dao 🚀 for AWS Community ASEAN

Posted on • Edited on

7 2

EKS Cluster CONSOLE CREDENTIALS

OOPS!!! "error: You must be logged in to the server (Unauthorized)" - If you get this error when trying to run kubectl commands, Read more ⤵️⤵️⤵️

- When an Amazon EKS cluster is created, the IAM entity (user or role) that creates the cluster is added to the Kubernetes RBAC authorization table as the administrator (with system:masters permissions). Initially, only that IAM user can make calls to the Kubernetes API server using kubectl. So ensure that your console such as EC2 instance attached that user/role credential for further steps, otherwise, no way to use the kubectl.

- In this tutorial, we will introduce how to create an IAM entity that having the system:master permissions on the existing EKS cluster, attaching this role to an EC2 instance and accessing to EKS cluster via kubectl installed on this instance.

What’s In This Document


Pre-Requisite:

  • EKS cluster
  • IAM fully access

🚀 Authentication and authorization in Amazon EKS

  • Explain in simple way, when you make an API call to EKS cluster through kubectl, a token is generated using the IAM credentials that are returned with the aws sts get-caller-identity command
  • Amazon EKS uses that token authentication webhook to authenticate the request but it still relies on native Kubernetes RBAC for authorization.
  • The crux of this integration between IAM and RBAC is the aws-auth ConfigMap applied to the Amazon EKS cluster that provides the mappings between IAM principals (roles/users) and Kubernetes Subjects (Users/Groups).
  • Ref: https://aws.amazon.com/blogs/containers/kubernetes-rbac-and-iam-integration-in-amazon-eks-using-a-java-based-kubernetes-operator/

🚀 Check aws-auth ConfigMap to see which role is bind with the cluster

  • Following command will show that the role role/eks-admin-role with proper IAM permissions is added to the Kubernetes RBAC authorization table as the administrator (with system:masters permissions).
[ec2-user@eks-ctl ~]$ kubectl describe configmap -n kube-system aws-auth
Name:         aws-auth
Namespace:    kube-system
Labels:       aws.cdk.eks/prune-c8c49db9cb02222a1111111db00d4db8236bxxxxxx=
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"v1","data":{"mapAccounts":"[]","mapRoles":"[{\"rolearn\":\"arn:aws:iam::123456789012:role/eks-admin-role\",\"username\":\"

Data
====
mapAccounts:
----
[]
mapRoles:
----
[{"rolearn":"arn:aws:iam::123456789012:role/eks-admin-role","username":"arn:aws:iam::123456789012:role/eks-admin-role","groups":["system:masters"]},{"rolearn":"arn:aws:iam::123456789012:role/eks-worker-role","username":"system:node:{{EC2PrivateDNSName}}","groups":["system:bootstrappers","system:nodes"]}]
mapUsers:
----
[]
Events:  <none>
Enter fullscreen mode Exit fullscreen mode
  • Now, if you have permission to attach that role to the EC2 instance or AWS cloud9, move to next step to create kubeConfig file

🚀 Create kubeconfig file to access EKS cluster

  • What is Kubeconfig File - A kubeconfig file is a file used to configure access to Kubernetes when used in conjunction with the kubectl commandline tool (or other clients).
  • How to generate kubeconfig file?
[ec2-user@eks-ctl ~]$ aws eks update-kubeconfig --name eks-cluster --region ap-northeast-2
Added new context arn:aws:eks:ap-northeast-2:123456789012:cluster/eks-cluster to /home/ec2-user/.kube/config
Enter fullscreen mode Exit fullscreen mode
  • Check content of the file /home/ec2-user/.kube/config (or use command kubectl config view --minify) and notice at the exec args. When you use kubectl to interact with Amazon EKS under the hood it uses the aws eks get-token command to fetch an authentication token, which is passed along in the Authorization header of an HTTP request sent to the Kubernetes API server.
[ec2-user@eks-ctl ~]$ kubectl config view --minify
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: <API server endpoint>
  name: arn:aws:eks:ap-northeast-2:123456789012:cluster/eks-cluster
contexts:
- context:
    cluster: arn:aws:eks:ap-northeast-2:123456789012:cluster/eks-cluster
    user: arn:aws:eks:ap-northeast-2:123456789012:cluster/eks-cluster
  name: arn:aws:eks:ap-northeast-2:123456789012:cluster/eks-cluster
current-context: arn:aws:eks:ap-northeast-2:123456789012:cluster/eks-cluster
kind: Config
preferences: {}
users:
- name: arn:aws:eks:ap-northeast-2:123456789012:cluster/eks-cluster
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --region
      - ap-northeast-2
      - eks
      - get-token
      - --cluster-name
      - eks-cluster
      command: aws
      env: null
Enter fullscreen mode Exit fullscreen mode

🚀 Allowing a user/role or instance profile call API to EKS cluster

- To check the AWS credentials for an IAM role that's attached to an instance, run following command

[ec2-user@eks-ctl ~]$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/eks-admin-role
{
  "Code" : "Success",
  "LastUpdated" : "2021-06-12T06:23:32Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "<AWS_ACCESS_KEY>",
  "SecretAccessKey" : "<AWS_SECRET_KEY>",
  "Token" : "<THE_TOKEN",
  "Expiration" : "2021-06-12T12:38:22Z"
}
Enter fullscreen mode Exit fullscreen mode
  • Note: If running the preceding curl command returns a 404 error, check the following:
$ export NO_PROXY=169.254.169.254
Enter fullscreen mode Exit fullscreen mode

- If you have full IAM access you can add more usre/role to access the EKS cluster by update the aws-auth ConfigMap

  • Run kubectl edit configmap aws-auth -n kube-system
    • Add the IAM user to mapUsers here is eks-test user (no need to add any permission for this user)
  mapUsers: |
    - userarn: arn:aws:iam::123456789012:user/eks-test
      username: eks-test
      groups:
        - system:masters
Enter fullscreen mode Exit fullscreen mode
  • Add the IAM role to mapRoles
mapRoles: |
    - rolearn: arn:aws:iam::123456789012:role/testrole
      username: testrole
      groups:
        - system:masters
Enter fullscreen mode Exit fullscreen mode

- Then update kubeConfig file again with that role or user

  • For adding role

    aws eks update-kubeconfig --name eks-cluster-name --region aws-region --role-arn arn:aws:iam::123456789012:role/testrole
    
  • For adding user, no more option but need to update kubeConfile for using --profile eks-test (you need to create this profile with AWS key and credential of that user)

    aws eks update-kubeconfig --name eks-cluster-name --region aws-region
    
user:
  exec:
    apiVersion: client.authentication.k8s.io/v1alpha1
    args:
    - --region
    - ap-northeast-2
    - eks
    - get-token
    - --cluster-name
    - eks-cluster
    - --profile
    - eks-test
    command: aws
Enter fullscreen mode Exit fullscreen mode

- Verify

 $ kubectl get node
NAME                                          STATUS   ROLES    AGE     VERSION
ip-10-0-0-0.ap-northeast-2.compute.internal   Ready    <none>   2d22h   v1.19.6-eks-49a6c0
Enter fullscreen mode Exit fullscreen mode

🚀 Conclusion

  • Setting up the console credential to control EKS cluster using cloud9 or EC2 (directly) is optional since mostly use CLI-driven
  • But, if you’d like full access to your EKS cluster in the EKS console it is recommended.

🌠 Blog · Github · stackoverflow · Linkedin · Group · Page · Twitter 🌠

Image of Datadog

How to Diagram Your Cloud Architecture

Cloud architecture diagrams provide critical visibility into the resources in your environment and how they’re connected. In our latest eBook, AWS Solution Architects Jason Mimick and James Wenzel walk through best practices on how to build effective and professional diagrams.

Download the Free eBook

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs