Grant Cluster Access

How to Grant Cluster Access

You can access your cluster using AWS IAM roles in the dashboard. When you create an EKS cluster, the IAM entity is granted system:masters permissions in Kubernetes Role Based Access Control (RBAC).

Configuration in the control plane as discussed in the EKS Cluster IAM Policies and Roles page.

If the EKS cluster was created as a cluster against self-managed AWS cluster that uses IAM Instance Profiles, you will need to modify the IAMAuthenticatorConfig field in the AWSManagedControlPlane API object to allow other IAM entities to access EKS workload cluster. Follow the steps below:

1. Execute the following command against the self-managed AWS cluster, you are creating the workload EKS cluster against. Ensure you substitute ${CLUSTER_NAME} and ${CLUSTER_NAMESPACE} with their corresponding values for your cluster.

   CODE

   kubectl edit awsmanagedcontrolplane ${CLUSTER_NAME}-control-plane -n ${CLUSTER_NAMESPACE}

2. Edit the IamAuthenticatorConfig field with the IAM Role to the corresponding Kubernetes Role. In this example, the IAM role arn:aws:iam::111122223333:role/PowerUser is granted the cluster role system:masters. Note that this example uses example AWS resource ARNs, so these values should be substituted for real values in the corresponding AWS account.

   CODE

   iamAuthenticatorConfig:
       mapRoles:
         - groups:
           - system:bootstrappers
           - system:nodes
           rolearn: arn:aws:iam::111122223333:role/nodes.cluster-api-provider-aws.sigs.k8s.io
           username: system:node:{{EC2PrivateDNSName}}
         - groups:
           - system:masters
           rolearn: arn:aws:iam::111122223333:role/Mesosphere-PowerUser
           username: admin

For further instructions on changing or assigning roles or clusterroles to which you can map IAM users or roles, see Amazon Enabling IAM access to your cluster.