Whether you're taking your first steps with Kubernetes or you're an experienced practitioner looking to sharpen your skills, our Amazon EKS workshop series delivers practical, real-world experience that moves you forward. Learn directly from AWS solutions architects and EKS specialists through hands-on sessions designed to build your confidence with Kubernetes. Register now and start building with Amazon EKS!
How do I resolve the "Your current user or role does not have access to Kubernetes objects on this EKS cluster" error in Amazon EKS?
I tried to access my Amazon Elastic Kubernetes Service (Amazon EKS) cluster. But, I received the "Your current user or role does not have access to Kubernetes objects on this EKS cluster" error message.
Short description
You get an access error when an AWS Identity and Access Management (IAM) identity doesn't have role-based access control (RBAC) permissions for Kubernetes. To access the Kubernetes API, you must have RBAC permissions. For more information about RBAC, see Using RBAC authorization on the Kubernetes website. To view Kubernetes resources on the AWS Management Console, your IAM identity must map to the aws-auth ConfigMap in your Amazon EKS cluster.
Important: The following resolution uses aws-auth ConfigMap to align with the Kubernetes approach to access RBAC permissions. It's a best practice to migrate existing aws-auth ConfigMap entries to access entries.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
If you're the cluster's creator or administrator user, then you can use kubectl or eksctl to update the aws-auth ConfigMap. Proceed to Add the IAM user or role to the RBAC configuration. Otherwise, you must get the Amazon Resource Name (ARN) of the IAM identity that requires cluster access.
Get the ARN of the IAM identity that requires cluster access
Identify the IAM user or role that requires access to the cluster.
Note: The IAM identity might be different from the IAM identity that you use when you run the AWS CLI. The AWS IAM Authenticator for Kubernetes doesn't allow a path in the role ARN that you use in the aws-auth ConfigMap. For more information, see aws-iam-authenticator on the GitHub website.
If you have AWS CLI access to the IAM user or role, then run the following get-caller-identity AWS CLI command:
aws sts get-caller-identity --query "Arn"
Note: If you don't have AWS CLI access, then remove the quotation marks from Arn and run the preceding command in AWS CloudShell.
Example output:
"arn:aws:iam::111122223333:role/testrole"
If the command's output shows an IAM role ARN, then confirm that it's in the correct ARN format: arn:aws:iam::111122223333:role/example.
If the ARN includes the assumed role, then you must get the ARN of the IAM role that you're granting RBAC permissions to. For example, the assumed role ARN of arn:aws:sts::123456:assumed-role/MyRole/your_username is associated with the role ARN of arn:aws:sts::123456:role/MyRole.
Provide the ARN to your cluster's administrator, and then request that the administrator add the role's ARN to the aws-auth ConfigMap. For steps on adding the ARN to the aws-auth ConfigMap, proceed to Add the IAM user or role to the RBAC configuration.
Confirm that the IAM user or role has permissions to view nodes and workloads for all clusters on the AWS Management Console.
Identify the cluster creator
Important: Only the IAM entity that's associated with the creation of the cluster has access to cluster resources. Only the cluster creator can edit the aws-auth ConfigMap and provide access to other IAM entities.
Identify the cluster creator or administrator role that has primary permissions to configure your cluster. First, check your AWS CloudTrail event history for the CreateCluster API call. Then, check the userIdentity field.
If the cluster creator's name shows as Deleted in CloudTrail, then create a new IAM user or role with the same name. The new IAM identity has the same ARN as the original cluster creator, so the new identity inherits the same administrator access to the cluster.
Note: CloudTrail doesn't provide the cluster creator's name for clusters that are older than 90 days.
To use the AWS CLI to get the cluster creator's IAM identity, run the following get-caller-identity command:
aws sts get-caller-identity
Example output:
{ "UserId": "AIDACKCEVSQ6C2EXAMPLE", "Account": "111122223333", "Arn": "arn:aws:iam:: 111122223333:user/testuser" }
Add the IAM user or role to the RBAC configuration
If you installed eksctl, then run the following eksctl create iamidentitymapping command to update the aws-auth ConfigMap:
eksctl create iamidentitymapping --cluster your_cluster_name --region=your_region --arn your_IAM_ARN --group system:masters --username admin
Note: Replace your_cluster_name with your cluster name, your_region with your AWS Region, and your_IAM_ARN with your IAM role or user ARN.
To use kubectl to update the aws-auth ConfigMap, complete the following steps:
-
Run the following command to open the aws-auth ConfigMap in your default text editor:
kubectl edit configmap aws-auth -n kube-systemNote: The console shows the current ConfigMap. If you can't connect to the cluster, then update your kubeconfig file. The IAM identity that creates the cluster always has access to the cluster.
-
Run the following update-kubeconfig command to configure kubectl so that you can connect to your cluster:
aws eks update-kubeconfig --region region_code --name your_cluster_nameNote: Replace region_code with your Region and your_cluster_name with your cluster name. The kubectl commands must connect to the Amazon EKS server endpoint. If the API server endpoint is public, then you must have internet access to connect to the endpoint. If the endpoint is private, then connect to the server endpoint from the virtual private cloud (VPC) where your cluster is running.
-
In the text editor that opens, enter the following code to add an IAM user:
mapUsers: | - userarn: arn:aws:iam::111122223333:user/testuser username: testuser groups: - system:bootstrappers - system:nodesNote: Replace 111122223333 with your AWS account ID and testuser with your IAM user.
Or, enter the following code to add an IAM role:
mapRoles: | - rolearn: arn:aws:iam::111122223333:role/testrole username: testrole groups: - system:bootstrappers - system:nodesNote: Replace 111122223333 with your account ID and testrole with your IAM role.
If you create a cluster, then your IAM identity automatically receives system:masters permissions in the cluster's RBAC configuration. By default, the system:masters group is bound to the cluster-admin cluster role.
It isn't a best practice to use system:masters permissions in a production environment. The system:masters permissions give users full access to all the Kubernetes resources in the cluster. Instead, it's a best practice to create a role that has access to only a specific namespace with only the required permissions.
Verify access to your cluster
Complete the following steps:
- Open the Amazon EKS console.
- In the navigation pane, choose Clusters.
- Select your cluster.
- Check the Overview and Workloads tabs for errors.
If you see errors, then see Troubleshooting IAM. For example, if you configured RBAC access for a specific namespace, then you might get the following error message:
"Error loading Deployments : deployments.apps is forbidden: User "AIDACKCEVSQ6C2EXAMPLE" cannot list resource "deployments" in API group "apps" at the cluster scope or in the namespace "EXAMPLENAMESPACE"
To resolve the namespace error, you must create or update the RBAC role or cluster role with the appropriate role or cluster role bindings. For more information, see RoleBinding and ClusterRoleBinding on the Kubernetes website.
- Topics
- Containers
- Language
- English
Relevant content
- AWS OFFICIALUpdated a year ago
