Whether you're taking your first steps with Kubernetes or you're an experienced practitioner looking to sharpen your skills, our Amazon EKS workshop series delivers practical, real-world experience that moves you forward. Learn directly from AWS solutions architects and EKS specialists through hands-on sessions designed to build your confidence with Kubernetes. Register now and start building with Amazon EKS!
How do I configure an SSO user to access my Amazon EKS cluster?
I want to configure an AWS IAM Identity Center user to access my Amazon Elastic Kubernetes Service (Amazon EKS) cluster.
Resolution
Prerequisites
- IAM Identity Center must be turned on and configured
- The SSO user must be associated with the AWS account that contains the EKS cluster
- The EKS cluster must support Access Entries (platform version eks.2 or later)
To configure an SSO user to access your Amazon EKS cluster, complete the following steps:
Configure AWS CLI for SSO authentication
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Configure the AWS CLI to use SSO authentication so the SSO user can authenticate and assume an AWS Identity and Access Management (IAM) role.
For more information about configuring the AWS CLI with IAM Identity Center, see Integrating AWS CLI with IAM Identity Center.
Configure kubectl to use the SSO profile
To configure kubectl to use your SSO profile, run the following update-kubeconfig AWS CLI command:
aws eks update-kubeconfig --name your-cluster-name --profile your-sso-profile
Note: Replace your-cluster-name with your EKS cluster name. Replace your-sso-profile with your SSO profile name.
Verify the cluster authentication mode
To verify the cluster authentication mode, run the following describe-cluster AWS CLI command:
aws eks describe-cluster --name your-cluster-name --query "cluster.accessConfig.authenticationMode" --profile your-sso-profile
Note: Replace your-cluster-name with your EKS cluster name. Replace your-sso-profile with your SSO profile name.
If the output shows API or API_AND_CONFIG_MAP, then Access Entries are turned on. If the output shows CONFIG_MAP, then only the aws-auth ConfigMap method is available.
Use Access Entries to configure access
Choose one of the following permission levels:
Grant cluster-wide admin permissions
Complete the following steps:
- Open the Amazon EKS console.
- In the navigation pane, choose Clusters.
- Select your cluster.
- Choose the Access tab.
- In the Access entries section, choose Create access entry.
- For IAM principal ARN, enter your SSO role ARN without the path component.
- For Type, choose Standard.
- Choose Next.
- For Policy name, choose AmazonEKSClusterAdminPolicy.
- For Access scope, choose Cluster.
- Choose Next, then choose Create.
Grant namespace-specific permissions
Complete the following steps:
- Open the Amazon EKS console.
- In the navigation pane, choose Clusters.
- Select your cluster.
- Choose the Access tab.
- In the Access entries section, choose Create access entry.
- For IAM principal ARN, enter your SSO role ARN without the path component.
- For Type, choose Standard.
- Choose Next.
- For Policy name, choose AmazonEKSAdminViewPolicy or AmazonEKSEditPolicy based on your requirements.
- For Access scope, choose Namespace.
- For Namespace, enter your namespace name.
- Choose Next, then choose Create.
For more information about Access Entries, see Grant IAM users access to Kubernetes with EKS access entries.
Use aws-auth ConfigMap to configure access
Important: When you use aws-auth with IAM Identity Center, use the IAM role ARN without the path component. For example, if your role ARN is arn:aws:iam::123456789012:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_AdministratorAccess_1234567890abcdef, remove the path to use arn:aws:iam::123456789012:role/AWSReservedSSO_AdministratorAccess_1234567890abcdef.
If your cluster doesn't support Access Entries or you prefer to use the aws-auth ConfigMap method, complete the following steps:
Grant cluster-wide admin permissions
Create a YAML file with the following configuration:
apiVersion: v1 kind: ConfigMap metadata: name: aws-auth namespace: kube-system data: mapRoles: | - rolearn: arn:aws:iam::123456789012:role/AWSReservedSSO_AdministratorAccess_1234567890abcdef username: sso-admin-user groups: - system:masters
Note: Replace the rolearn value with your SSO role ARN without the path component. Replace sso-admin-user with your preferred username.
Apply the configuration:
kubectl apply -f aws-auth-configmap.yaml
Grant namespace-specific permissions
Create a Role and RoleBinding for namespace-specific access:
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: sso-user-role namespace: your-namespace rules: - apiGroups: [""] resources: ["pods", "services", "configmaps"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: sso-user-rolebinding namespace: your-namespace subjects: - kind: User name: sso-user apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: sso-user-role apiGroup: rbac.authorization.k8s.io
Note: Replace your-namespace with your namespace name. Replace sso-user with the username you specified in the aws-auth ConfigMap.
Apply the configuration:
kubectl apply -f role-rolebinding.yaml
Update the aws-auth ConfigMap to map the SSO role to the username:
apiVersion: v1 kind: ConfigMap metadata: name: aws-auth namespace: kube-system data: mapRoles: | - rolearn: arn:aws:iam::123456789012:role/AWSReservedSSO_AdministratorAccess_1234567890abcdef username: sso-user
Note: Replace the rolearn value with your SSO role ARN without the path component.
Apply the configuration:
kubectl apply -f aws-auth-configmap.yaml
For more information about the aws-auth ConfigMap, see Grant IAM users access to Kubernetes with a ConfigMap.
Verify access
To verify the SSO user can access the cluster, run the following command:
kubectl get nodes
If the command returns a list of nodes, then the SSO user has successfully authenticated to the cluster.
Related information
- Topics
- Containers
- Language
- English
This article is deprecated.
See more in: https://docs.aws.amazon.com/eks/latest/userguide/migrating-access-entries.html
Despite adding "the IAM role without the path" into the aws-auth ConfigMap, I was still getting permission errors like the following:
Error from server (Forbidden): nodes is forbidden: User "arn:aws:sts:::assumed-role/AWSReservedSSO_AdministratorAccess_/my.user" cannot list resource "nodes" in API group "" at the cluster scope
The way I could fix it is by going to the AWS Console > EKS > a cluster > Access [tab]. There I searched for an IAM access entry that looks like this:
arn:aws:iam::**********:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AdministratorAccess_**********(pay attention, it is a full path, unlike the article suggests to use for the ConfigMap)
Then I pressed "View details" and added the AmazonEKSClusterAdminPolicy to the "Access policies" section.
Relevant content
- asked 2 years ago
- asked 3 years ago
- asked 4 years ago
- AWS OFFICIALUpdated a year ago
