EKS cluster, AWS Organizations and IAM Identity Center Access


I want to give access to my cluster in our productive account (we have various aws accounts managed by aws organizations) to an IAM Identity Center User or group using the Clusters configmap

I read this article (https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html) but it only gives information about IAM roles or users in that specific account

How can i give access to an specific user/role from IAM Identity Center? Permission sets ARN from Root account will work in the config map? because it says that only ARN like arn:aws:iam::111122223333:role/role-name will work, but Identity centers ARN is like arn:aws:sso:::permissionSet/XY

1 Answer
Accepted Answer


Greetings for the day!!

I hope you are doing good and staying safe.

From your correspondence/query I can understand that you have an EKS cluster and you would like grant access to this EKS cluster to certain IAM identities, especially form identity centre such as sso roles.

I can see that you have mentioned ARN like 'arn:aws:sso:::permissionSet/XY'. By default, when you create a permission set, the permission set isn't provisioned (used in any AWS accounts). To provision a permission set in an AWS account, you must assign IAM Identity Center access to users and groups in the account, and then apply the permission set to those users and groups. For more information, see Single sign-on access to AWS accounts[1].

If permission set is not provisioned, there will be no new role created in the AWS IAM console. Only if the permission set is provisioned, an IAM role can be automatically provisioned. [2]

You can follow these documents for provisioning the permission set[3][4]

As you may already know, with Identity Center, an IAM role is associated with the SSO user, therefore the IAM principal (role) in this case would need to be mapped under the mapRoles section in the aws-auth ConfigMap and not the mapUsers section. As per [5], "For your SSO user to access the Amazon EKS cluster, the IAM role that's associated with your SSO user must be mapped to Kubernetes RBAC permissions. To do this, include the IAM role ARN without the path in the aws-auth ConfigMap."

In conclusion, mapping the SSO role to the aws-auth ConfigMap should fulfil your use case.

Note 1: The role that you add to the ConfigMap should not have the entire path, please refer the shared documents for more information.

Note 2: It is not possible to map an SSO user to a user in Kubernetes. You can only map the IAM role associated with the SSO user, but NOT the SSO user itself as a user in the aws-auth ConfigMap. As long as you map the role associated with the user, your use case will work.

I hope this helps.

Have a fantastic day ahead!!


[1] https://docs.aws.amazon.com/singlesignon/latest/userguide/howtocreatepermissionset.html.




[5] https://repost.aws/knowledge-center/eks-configure-sso-user

answered 2 months ago
profile picture
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions