By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How do I resolve "error: You must be logged in to the server (Unauthorized)" errors when connecting to an Amazon EKS cluster from CodeBuild?

3 minute read
0

I'm trying to connect to an Amazon Elastic Kubernetes Service (Amazon EKS) cluster from AWS CodeBuild using the CodeBuild service role. Why are my kubectl commands returning "error: You must be logged in to the server (Unauthorized)" errors, and how do I troubleshoot the issue?

Short description

AWS Identity and Access Management (IAM) Authenticator doesn't permit a path in the role Amazon Resource Name (ARN) used in the configuration map. If the role ARN (rolearn) in your aws-auth ConfigMap includes a path, Amazon EKS returns the following error:

"error: You must be logged in to the server (Unauthorized)"

The CodeBuild service role ARN includes the following path: /service-role. When you specify the rolearn value in your aws-auth ConfigMap, you must remove the /service-role path—or any other path, if you're using another role. For more information, see Managing users or IAM roles for your cluster.

If you receive errors after removing any paths from the role ARN in your aws-auth ConfigMap, follow the instructions in the following article: How do I resolve an unauthorized server error when I connect to the Amazon EKS API server?

Resolution

Identify your CodeBuild service role's ARN and remove the /service-role path

1.    Open the CodeBuild console.

2.    In the left navigation pane, choose Build. Then, choose Build projects.

3.    Select your project name. Then, choose Build details.

4.    Under the Environment section, in the Build details pane, copy the CodeBuild service role ARN.

5.    In a text editor, paste the CodeBuild service role ARN and remove the /service-role path. Then, copy the edited ARN.

Example CodeBuild service role ARN

arn:aws:iam::123456789012:role/service-role/codebuild-project-service-role

Example CodeBuild service role ARN with the /service-role path removed

arn:aws:iam::123456789012:role/codebuild-project-service-role

Add the edited CodeBuild service role's ARN to your aws-auth ConfigMap

1.    To edit the aws-auth ConfigMap in a text editor, the cluster owner or admin must run the following kubectl command:

Note: You can run the command from your local computer or an Amazon Elastic Compute Cloud (Amazon EC2) instance that has access to the EKS cluster. The user who created the cluster has access to the cluster by default.

$ kubectl edit -n kube-system cm aws-auth

The aws-auth ConfigMap opens in vi editor.

Note: If you receive an Error from server (NotFound): configmaps "aws-auth" not found error, use the example aws-auth ConfigMap that's provided in the following article: Managing users or IAM roles for your cluster.

2.    In the vi editor, add the edited CodeBuild service role's ARN to the aws-auth ConfigMap by doing the following:
Activate insert mode by pressing i.
In the mapRoles statement, under system:masters, for the rolearn value, enter the edited CodeBuild service role's ARN.
Activate command mode by pressing Esc. Then, save and close the file by entering :wq.

Example mapRoles statement that includes a correctly formatted CodeBuild service role ARN

mapRoles: |

  • groups:
    • system:masters rolearn: arn:aws:iam::123456789012:role/codebuild-project-service-role username: codebuild-project-service-role

Related information

How do I resolve an unauthorized server error when I connect to the Amazon EKS API server?

AWS OFFICIAL
AWS OFFICIALUpdated 3 years ago