The aws-auth configmap in AWS EKS performs a mapping between IAM users/roles to kubernetes RBAC roles. However, the documentation does not specify anything on adding IAM groups to the configmap.
We use multiple namespaces, each namespace managed by a different team. I created a set of kubernetes RBAC roles, limited to the different namespaces. Now I want to give everbody in the teams IAM group that specific role.
Is it possible to add IAM groups in the aws-auth configmap? If not, what would the proposed solution be? Create a IAM role per team and allow only members of the IAM group the permission to assume that role?
You can take a look here.
TLDR
1. Create a role that allows full API access
2. Create a RoleBinding
for that role to your target namespace with a named apiGroup as the subjects
.
3. Add an entry for your IAM user in the aws-auth ConfigMap
to add the mapUser
to the named aforementioned apiGroup.
Hope this helps!