I would like to give a certain team access to the system:masters
group in RBAC. My team (AWSReservedSSO_Admin_xxxxxxxxxx
in example below) already has it and it works when I only add that one rolearn
, but when I apply the configmap below with the additional rolearn
, users under the AWSReservedSSO_Dev_xxxxxxxxxx
role still get this error when trying to access the cluster: error: You must be logged in to the server (Unauthorized)
(note: we are using AWS SSO, so the IAM roles are assumed):
---
apiVersion: v1
kind: ConfigMap
data:
mapRoles: |
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/eks-node-group
groups:
- system:bootstrappers
- system:nodes
username: system:node:{{EC2PrivateDNSName}}
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Admin_xxxxxxxxxx
groups:
- system:masters
username: admin
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx
groups:
- system:masters
username: admin
metadata:
name: aws-auth
namespace: kube-system
I'm not sure how you are assuming the roles ❓ and your configuration looks fine, but the reason could be that you are mapping the same user to two different roles. AWS IAM only allows a user to assume only one role at a time, basically, as an AWS IAM user, you can't assume multiple IAM roles at the same time.
You can try with different users and see it works for you.
---
apiVersion: v1
kind: ConfigMap
data:
mapRoles: |
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/eks-node-group
groups:
- system:bootstrappers
- system:nodes
username: system:node:{{EC2PrivateDNSName}}
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Admin_xxxxxxxxxx
groups:
- system:masters
username: admin
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx
groups:
- system:masters
username: admin2
metadata:
name: aws-auth
namespace: kube-system
The other aspect that you may be missing is the 'Trust Relationship' 🤝 in your arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx
role that allows admin
to assume the role.
✌️☮️
Thanks Rico. When you sign in with SSO, you are assuming a role in STS. You can verify this by running aws sts get-caller-identity
.
You werew right that that the username wrong but it didn't solve the whole issue.
Took a long time but my teammate finally found the solution for this in this guide
The problem was the ARN for the IAM Role:
rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx
This part aws-reserved/sso.amazonaws.com/
needs to be removed from the name. So in the end combined with Rico's suggested username fix:
---
apiVersion: v1
kind: ConfigMap
data:
mapRoles: |
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/eks-node-group
groups:
- system:bootstrappers
- system:nodes
username: system:node:{{EC2PrivateDNSName}}
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/AWSReservedSSO_Admin_xxxxxxxxxx
groups:
- system:masters
username: admin
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/AWSReservedSSO_Dev_xxxxxxxxxx
groups:
- system:masters
username: admin2
metadata:
name: aws-auth
namespace: kube-system
The issue is finally fixed, and SSO users assuming the role can run kubectl
commands!