By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

EKS Unauthorized messages even though I'm cluster creator

0

Hello I'm trying to set up EKS for the first time so that I can set up kubeflow, however am running into Authorization issues following the creation of my cluster.

Following this guide I create my cluster, however any commands with kubectl following the creation return various error, much like what is shown here

ubuntu:~/environment/kubeflow-manifests ((v1.7.0-aws-b1.0.3)) $ kubectl get svc
error: You must be logged in to the server (Unauthorized)

ubuntu:~/environment/kubeflow-manifests ((v1.7.0-aws-b1.0.3)) $ aws sts get-caller-identity
{
    "UserId": "<USER_ID>",
    "Account": "<ACCOUNT_ID>",
    "Arn": "arn:aws:iam::<ACCOUNT_ID>:user/palmerss"
}
ubuntu:~/environment/kubeflow-manifests ((v1.7.0-aws-b1.0.3)) $ kubectl edit configmap aws-auth -n kube-system
error: You must be logged in to the server (Unauthorized)

The palmerss user does have an IAM policy that allows eks:* to * resources

I've also tried to do

aws eks update-kubeconfig --name eks-cluster-name --region aws-region

even though I had just created the cluster from the same machine/terminal

Topics
Security, Identity, & ComplianceManagement & GovernanceContainers
Tags
AWS Identity and Access ManagementAWS Management ConsoleAWS Command Line InterfaceAmazon Elastic Kubernetes ServiceAWS Account Management
Language
English
palmerss
asked 6 months ago309 views
1 Answer
0

When encountering unauthorized errors with EKS and kubectl, it typically relates to issues with your Kubernetes configuration or IAM role permissions. Here's a step-by-step approach to troubleshoot and resolve the issue:

  1. Check IAM Role: Ensure that the IAM user palmerss has the necessary permissions to interact with the EKS cluster. This user needs eks:DescribeCluster permission to be able to update the kubeconfig file.

  2. Update kubeconfig: The command you've run is correct, but ensure that you're using the exact name of the cluster and the correct region:

    aws eks update-kubeconfig --name <eks-cluster-name> --region <aws-region>

    If you're working with multiple AWS profiles, specify the profile with --profile flag:

    aws eks update-kubeconfig --name <eks-cluster-name> --region <aws-region> --profile <aws-profile-name>

  3. IAM Authenticator: EKS uses IAM Authenticator for Kubernetes to allow IAM entities to authenticate with your Kubernetes cluster. Make sure the AWS IAM Authenticator for Kubernetes is installed and properly configured on your local machine.

  4. Check ConfigMap: The aws-auth ConfigMap is used in EKS to grant IAM entities permissions to interact with your cluster. Since you're getting an unauthorized error when trying to edit the aws-auth ConfigMap, it's possible that the user palmerss is not mapped correctly.

    As you are the cluster creator, you should have full access to the cluster. However, if the aws-auth ConfigMap has been modified after the cluster creation, it could be the source of the issue.

  5. Assume Role or Federation: If your organization uses assume-role or federation, make sure you have assumed the correct role which has the necessary permissions for EKS.

  6. Correct Context: Make sure you're using the correct context in kubectl. You can check your current context and available contexts with:

    kubectl config current-context
kubectl config get-contexts

  7. Check EKS Service Role: Ensure that the EKS service role associated with the cluster has the right policies attached and that it's not expired or misconfigured.

  8. Session Tokens: If you are using temporary credentials, check if the session token is set in your environment variables, as this could affect the authorization:

    echo $AWS_SESSION_TOKEN

  9. AWS CLI Version: Make sure you're using the latest version of the AWS CLI, as older versions may not have all the necessary EKS commands.

    aws --version

    Update AWS CLI if necessary.

Ensure that you have backups of your kubeconfig and any other relevant configuration before making changes, to avoid any accidental loss of data or access. If you need more detailed guidance, you can refer to the EKS documentation for troubleshooting authentication issues.

profile pictureAWS
Obijan
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content