loading...

Adding cross-account access to EKS

hayderimran7 profile image Imran Hayder ・1 min read

introduction

When you want your users in IAM to access EKS cluster in another account, its very simple to do via cross account role.
This assumes you have already created the role in account B to users in account A.

steps to access EKS in second account

  1. first make sure you have a IAM role cross-account-role created in Account B and having added trusted relationship for users in that you would like to from account A to access it.
  2. Once thats done , make sure you have access to the EKS cluster in account B(this needs to be done in order to edit the permissions of EKS).
  3. now edit the aws-auth configmap of that EKS cluster as:

    kubectl edit -n kube-system configmaps aws-auth
    
  4. add following lines under mapRoles to add the role created in step#1:

    - "groups":
      - "system:masters"
      - "system:nodes"
      "rolearn": "arn:aws:iam::Account B:role/cross-account-role"
    
  5. try setting the new cross-account for account B in ~/.aws/credentials :

    [account-B]
    role_arn = arn:aws:iam::Account B:role/cross-accountrole
    region = us-west-2
    source_profile = account-A
    
  6. export this profile on terminal and add the EKS cluster config :

    export AWS_PROFILE=account-B
    aws eks update-kubeconfig --name name-of-eks-cluster-in-account-B
    
  7. try running kubectl now:

    kubectl get ns
    kubectl get pods
    

Discussion

pic
Editor guide