Bootstrap FreeKB - Amazon Web Services (AWS) Elastic Kubernetes Service (EKS) - Add user or role to aws-auth Config Map using the eksctl CLI
Amazon Web Services (AWS) Elastic Kubernetes Service (EKS) - Add user or role to aws-auth Config Map using the eksctl CLI
Updated:   |  Amazon Web Services (AWS) Elastic Kubernetes Service (EKS) articles

This assumes you have downloaded and installed the eksctl CLI. If not, check out my article download the eksctl CLI.

Both the AWS CLI and the eksctl CLI can be used to list your Elastic Kubernetes Service (EKS) Clusters.

The eksctl get clusters command can be used to list your Elastic Kubernetes Service (EKS) Clusters.

~]$ eksctl get clusters
NAME                REGION          EKSCTL CREATED
my-cluster-1        us-east-1       True
my-cluster-2        us-east-1       False

 

This will use the default profile in your hidden AWS credentials file (e.g. /home/john.doe/.aws/credentials). For example, if your hidden AWS credentials file has the following, the default credential would be used.

~]$ cat /home/john.doe/.aws/credentials 
[default]
aws_secret_access_key = ABCDEFG123456789ABCDEFG123456789ABCDEFG12
aws_access_key_id = ABCDEFG123456789ABCD

 

Or, the --profile flag could be used to use some other profile in your hidden AWS credentials file.

~]$ eksctl get clusters --profile johndoe
NAME                REGION          EKSCTL CREATED
my-cluster-1        us-east-1       True
my-cluster-2        us-east-1       False

 

And then the eksctl get iamidentitymapping command can be used to list the roles and users in the aws-auth Config Map in the EKS Cluster.

~]$ eksctl get iamidentitymapping --cluster enterprise-sbx-useast2-1 --profile AWS-sbx-admin
ARN                                       USERNAME                                GROUPS                                  ACCOUNT
arn:aws:iam::123456789012:role/my-role    system:node:{{EC2PrivateDNSName}}       system:bootstrappers,system:nodes

 

This is basically displaying the mapUsers and mapRoles in the aws-auth Config Map.

{
  "kind": "ConfigMap",
  "apiVersion": "v1",
  "metadata": {
    "name": "aws-auth",
    "namespace": "kube-system"
  },
  "data": {
    "mapRoles": "- groups:\n  - system:bootstrappers\n  - system:nodes\n  rolearn: arn:aws:iam::123456789012:role/my-cluster-node\n  username: system:node:{{EC2PrivateDNSName}}\n"
  }
}

 

The eksctl create iamidentitymapping command can be used to add users and roles to the aws-auth Config Map.

~]$ eksctl create iamidentitymapping --cluster my-cluster --region us-east-1 --arn arn:aws:iam::123456789012:user/johndoe --username johndoe
2023-11-03 03:23:14 [ℹ]  checking arn arn:aws:iam::123456789012:user/johndoe against entries in the auth ConfigMap
2023-11-03 03:23:14 [ℹ]  adding identity "arn:aws:iam::123456789012:user/johndoe" to auth ConfigMap

 

Now the eksctl get iamidentitymapping command should include the user or role that you added.

~]$ eksctl get iamidentitymapping --cluster my-cluster
ARN                                                             USERNAME                                GROUPS                                  ACCOUNT
arn:aws:iam::123456789012:role/my-role    system:node:{{EC2PrivateDNSName}}       system:bootstrappers,system:nodes
arn:aws:iam::123456789012:user/johndoe                          johndoe

 

And likewise, the aws-auth Config Map should also have the user or role that you added.

{
  "kind": "ConfigMap",
  "apiVersion": "v1",
  "metadata": {
    "name": "aws-auth",
    "namespace": "kube-system"
  },
  "data": {
    "mapRoles": "- groups:\n  - system:bootstrappers\n  - system:nodes\n  rolearn: arn:aws:iam::123456789012:role/my-cluster-node\n  username: system:node:{{EC2PrivateDNSName}}\n",
    "mapUsers": "- userarn: arn:aws:iam::123456789012:user/johndoe\n  username: johndoe\n"
  }
}

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 908992 in the box below so that we can be sure you are a human.