1. 技术文章
  2. Enabling AWS Group to access AWS EKS cluster

Enabling AWS Group to access AWS EKS cluster

て烟熏妆下的殇ゞ 提交于 2020-06-16 18:07:02

问题


This question is essentially a duplicate of Adding IAM Group to aws-auth configmap in AWS EKS. However, the question does not have an accepted answer and I would like to provide more context.

I know that aws-auth ConfigMap object does not allow mapping AWS Group directly. A workaround would be to map an AWS Role instead. I tried that but were unable to get it working. Mapping an AWS User works without issues.

I setup an AWS Role arn:aws:iam::027755483893:role/development-readwrite with account 027755483893 as being the trusted entity and attached the following trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::027755483893:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

I setup an AWS Group arn:aws:iam::027755483893:group/development-readwrite and attached the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::027755483893:role/development-readwrite"
            ]
        }
    ]
}

I setup the aws-auth ConfigMap as follows:

apiVersion: v1
data:
  mapRoles: |
    # Other mappings omitted for clarity
    - groups:
      - system:masters
      rolearn: arn:aws:iam::027755483893:role/development-readwrite
  mapUsers: |
    []
kind: ConfigMap
metadata:
  creationTimestamp: "2019-08-21T08:25:15Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "62031092"
  selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
  uid: 33b33620-c3ed-11e9-83c0-029bc9dcca16

However, none of the users in the group have access to the cluster. Do the users need to explicitly assume role? Is there anything else I'm missing?


回答1:


In this case the users indeed need to explicitly assume the role. The fact that the users can assume the role is not enough for them to actually have access to the cluster.

One approach that can simplify it for your users is by creating a kubeconfig with the aws get token call. This allows you to specify a role_arn of a role to assume for the cluster.



来源:https://stackoverflow.com/questions/62262710/enabling-aws-group-to-access-aws-eks-cluster

标签
amazon-web-services
amazon-iam
amazon-eks
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!