How can I assign the same RBAC role to two different IAM roles to access a cluster in EKS?

7/23/2020

I would like to give a certain team access to the system:masters group in RBAC. My team (AWSReservedSSO_Admin_xxxxxxxxxx in example below) already has it and it works when I only add that one rolearn, but when I apply the configmap below with the additional rolearn, users under the AWSReservedSSO_Dev_xxxxxxxxxxrole still get this error when trying to access the cluster: error: You must be logged in to the server (Unauthorized)

(note: we are using AWS SSO, so the IAM roles are assumed):

---
apiVersion: v1
kind: ConfigMap
data:
  mapRoles: |
    - rolearn: arn:aws:iam::xxxxxxxxxxx:role/eks-node-group
      groups:
      - system:bootstrappers
      - system:nodes
      username: system:node:{{EC2PrivateDNSName}}
    - rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Admin_xxxxxxxxxx
      groups:
      - system:masters
      username: admin
    - rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx
      groups:
        - system:masters
      username: admin
metadata:
  name: aws-auth
  namespace: kube-system
-- tonymagz
amazon-eks
amazon-iam
kubernetes
rbac
yaml

2 Answers

7/24/2020

I'm not sure how you are assuming the roles ❓ and your configuration looks fine, but the reason could be that you are mapping the same user to two different roles. AWS IAM only allows a user to assume only one role at a time, basically, as an AWS IAM user, you can't assume multiple IAM roles at the same time.

You can try with different users and see it works for you.

---
apiVersion: v1
kind: ConfigMap
data:
  mapRoles: |
    - rolearn: arn:aws:iam::xxxxxxxxxxx:role/eks-node-group
      groups:
      - system:bootstrappers
      - system:nodes
      username: system:node:{{EC2PrivateDNSName}}
    - rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Admin_xxxxxxxxxx
      groups:
      - system:masters
      username: admin
    - rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx
      groups:
        - system:masters
      username: admin2
metadata:
  name: aws-auth
  namespace: kube-system

The other aspect that you may be missing is the 'Trust Relationship' 🤝 in your arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx role that allows admin to assume the role.

image1

✌️☮️

-- Rico
Source: StackOverflow

9/11/2020

Thanks Rico. When you sign in with SSO, you are assuming a role in STS. You can verify this by running aws sts get-caller-identity.

You werew right that that the username wrong but it didn't solve the whole issue.

Took a long time but my teammate finally found the solution for this in this guide

The problem was the ARN for the IAM Role:

rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx

This part aws-reserved/sso.amazonaws.com/ needs to be removed from the name. So in the end combined with Rico's suggested username fix:

---
apiVersion: v1
kind: ConfigMap
data:
  mapRoles: |
    - rolearn: arn:aws:iam::xxxxxxxxxxx:role/eks-node-group
      groups:
      - system:bootstrappers
      - system:nodes
      username: system:node:{{EC2PrivateDNSName}}
    - rolearn: arn:aws:iam::xxxxxxxxxxx:role/AWSReservedSSO_Admin_xxxxxxxxxx
      groups:
      - system:masters
      username: admin
    - rolearn: arn:aws:iam::xxxxxxxxxxx:role/AWSReservedSSO_Dev_xxxxxxxxxx
      groups:
        - system:masters
      username: admin2
metadata:
  name: aws-auth
  namespace: kube-system

The issue is finally fixed, and SSO users assuming the role can run kubectl commands!

-- tonymagz
Source: StackOverflow