How to enable IAM and AWS SSO access to EKS

October 29, 2022

Updated: October 29, 2022

eks aws iam

Update 2024-01-18: See also New EKS IAM Auth Changes

When an EKS cluster is created, the user that created the cluster is the owner and is granted permanent admin access to the cluster.

I’m going to show you how to use IAM roles and AWS SSO to manage access to EKS.

First, create an EKS cluster.

Once you have an EKS cluster, you’ll to get kubectl access to it.

Note that you’ll need to have aws-cli installed if you don’t have it already.

You can find the instructions on how to do that here.

Once you have aws-cli installed, run:

aws eks update-kubeconfig --name <name of your cluster>

This updates your ~/.kubeconfig to be able to access your cluster from your machine.

You’ll need kubectl installed for the next steps if you don’t have it already.

Here’s a link to the documentation on installing kubectl

Let’s test your connection to your cluster with:

kubectl get ns

You should get some results back for the namespaces created by default.

EKS clusters store AWS authentication configuration in a kubernetes ConfigMap in the kube-system namespace.

Let’s edit it:

kubectl edit configmap/aws-auth -n kube-system

You’ll see something that looks like this:

apiVersion: v1
data:
  mapAccounts: |
    []    
  mapRoles: |
    # redacted    
  mapUsers: |
    []    
kind: ConfigMap

To allow an AWS IAM role to access your cluster, you need to modify the mapRoles section.

Find the ARN of the IAM role that you’d like to have access to the cluster and add an entry that looks like this:

apiVersion: v1
data:
  mapAccounts: |
    []    
  mapRoles: |
    - "groups":
      - "system:masters"
      "rolearn": "arn:aws:iam::<AWS ACCOUNT ID>:role/AWSReservedSSO_AWSAdministratorAccess_xxxxxxxxxxxxx"
      "username": "admin"    
  mapUsers: |
    []    
kind: ConfigMap

The username can be set to anything.

Set the rolearn value to be the arn of the IAM role you found earlier.

Note: For SSO roles, you might find that in the IAM console it has additional segments in the middle that I didn’t put here.

arn:aws:iam::<AWS ACCOUNT ID>:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_AWSAdministratorAccess_xxxxxxxxxxxxx

You have to remove the /aws-reserved/sso.amazonaws.com/us-east-1 section like I did above or it won’t work.

Save your aws-auth and you should now be able to access the cluster using the role you just mapped.

Master GitHub Actions with a Senior Infrastructure Engineer

As a senior staff infrastructure engineer, I share exclusive, behind-the-scenes insights that you won't find anywhere else. Get the strategies and techniques I've used to save companies $500k in CI costs and transform teams with GitOps best practices—delivered straight to your inbox.

Not sure yet? Check out the archive.

Unsubscribe at any time.