K
Q

Adding IAM Group to aws-auth configmap in AWS EKS

4/1/2019

The aws-auth configmap in AWS EKS performs a mapping between IAM users/roles to kubernetes RBAC roles. However, the documentation does not specify anything on adding IAM groups to the configmap.

We use multiple namespaces, each namespace managed by a different team. I created a set of kubernetes RBAC roles, limited to the different namespaces. Now I want to give everbody in the teams IAM group that specific role.

Is it possible to add IAM groups in the aws-auth configmap? If not, what would the proposed solution be? Create a IAM role per team and allow only members of the IAM group the permission to assume that role?

-- Blokje5
amazon-iam
amazon-web-services
aws-eks
kubernetes

Similar Questions

Desired GKE pod not found , google cloud composer
What are the benefits of enabling mTLS in Istio?
What is the deployment controller sync period for kube-controller-manager?
Horizontal Pod Autoscaler (HPA): Current utilization: <unknown> with custom namespace
terminationGracePeriodSeconds not shown in kubectl describe result
Why does kubectl cp command terminates with exit code 126?

1 Answer

4/1/2019

You can take a look here.

TLDR
1. Create a role that allows full API access
2. Create a RoleBinding for that role to your target namespace with a named apiGroup as the subjects.
3. Add an entry for your IAM user in the aws-auth ConfigMap to add the mapUser to the named aforementioned apiGroup.

Hope this helps!

-- Frank Yucheng Gu
Source: StackOverflow