When you want your users in IAM to access EKS cluster in another account, its very simple to do via cross account role.
This assumes you have already created the role in account B to users in account A.
- first make sure you have a IAM role
cross-account-rolecreated in Account B and having added trusted relationship for users in that you would like to from account A to access it.
- Once thats done , make sure you have access to the EKS cluster in account B(this needs to be done in order to edit the permissions of EKS).
now edit the
aws-authconfigmap of that EKS cluster as:
kubectl edit -n kube-system configmaps aws-auth
add following lines under
mapRolesto add the
rolecreated in step#1:
- "groups": - "system:masters" - "system:nodes" "rolearn": "arn:aws:iam::Account B:role/cross-account-role"
try setting the new
cross-accountfor account B in
[account-B] role_arn = arn:aws:iam::Account B:role/cross-accountrole region = us-west-2 source_profile = account-A
export this profile on terminal and add the EKS cluster config :
export AWS_PROFILE=account-B aws eks update-kubeconfig --name name-of-eks-cluster-in-account-B
try running kubectl now:
kubectl get ns kubectl get pods