How do I troubleshoot IAM role issues in my Amazon EKS cluster?

Short description

If you don't have the correct permissions to access an Amazon EKS cluster, then you might get one of the following errors:

• "Your current IAM principal doesn't have access to Kubernetes objects on this cluster"
• "You must be logged in to the server (Unauthorized)"
• "You must be logged in to the server (the server has asked for the client to provide credentials)"

These errors can occur for one of the following reasons:

• You or your client (AWS Command Line Interface (AWS CLI) or application) didn't authenticate with the EKS cluster.
• Your AWS access key or secret key aren't valid.
• You have an incorrect cluster endpoint URL.
• You didn't correctly configure your kubeconfig file.

To troubleshoot this issue, complete the following tasks.

Resolution

Note: If you receive errors when you run AWS CLI commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Review your credentials and configuration file

Review your AWS credentials to make sure that your credentials are valid and have the necessary permissions to access the Amazon EKS cluster. If you run kubectl commands and get one of the preceding errors, then you didn't correctly configure kubectl.

To check your credentials, run the get-caller-identity AWS CLI command:

aws sts get-caller-identity

If you use a kubeconfig configuration file for your cluster, then review your file configurations. If the configurations aren't correct, then use the update-kubeconfig command to update the file:

aws eks update-kubeconfig

For more information, see Connect kubectl to an Amazon EKS cluster by creating a kubeconfig file.

Review your Amazon EKS cluster authentication method

Amazon EKS clusters that use the configuration map

For Amazon EKS clusters that authenticate with the configuration map, configure the CLI to use the same IAM identity to access the cluster and to edit the map. If there isn't an identity that can access the Amazon EKS cluster, then assume the cluster creator role. Then, edit the configuration map. For more information, see How do I provide cluster access to other IAM users and roles after I create a cluster in Amazon EKS?

If you don't see the IAM identity listed or you misconfigured the IAM identity, then update the IAM principals of the configuration map. For more information, see Add IAM principals to your Amazon EKS cluster.

Amazon EKS clusters that use API authentication

For Amazon EKS clusters that authenticate with the Amazon EKS API, you must create an Access Entry for the IAM identity provide the correct permissions.

To verify if there's an Access Entry for the IAM identity, run the list-access-entries command:

aws eks list-access-entries --cluster-name Your_cluster_name

Note: Replace Your_cluster_name with the name of your cluster.

If there isn't an Access Entry for the IAM identity, then create an access entry. Also, make sure that the Amazon EKS cluster has the correct access policies. For more information, see Associate access policies with access entries.

Note: The Access Entry method doesn't replace role-based authorization control (RBAC) in Amazon EKS. You can use Amazon EKS Access Entries with RBAC in your cluster to grant more specific configurations. For more information, see A deep dive into simplified Amazon EKS access management controls.

Related information

Getting started with Amazon EMR on Amazon EKS

Route application and HTTP traffic with Application Load Balancers

Route TCP and UDP traffic with Network Load Balancers

Troubleshoot problems with Amazon EKS clusters and nodes