I have now spent 2 hours and a half trying to fix an issue which is driving me crazy. I have created an EKS cluster. Then I have created 2 users in AWS IAM with an eks_admin role. Once done, I updated the aws-auth configmap to add the 2 users. The issue is that it works for a user but not for the second one !!
I have dug in aws doc, on stackoverflow .... Some say that it's not sufficient to create the configmap one has also to create a clusterrolebing for the newly created users. The issue is that I did not create the binding for the first user and it works. I have tried to create it for the second one and no luck. when I issue an aws eks get-token I get one.
Can anyone try to point me in the right direction ? I'm on the edge of losing my nerves .... Here's the configmap I have :
Name: aws-auth
Namespace: kube-system
Labels: <none>
Annotations: <none>
Data
====
mapRoles:
----
- rolearn: arn:aws:iam::xxxxxxxxxxxxx:role/k8s-nodegroup-NodeInstanceRole-xxxxxxxxxxxxx
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
mapUsers:
----
- rolearn: arn:aws:iam::xxxxxxxxxx:user/yyyyyy
username: yyyyyy
groups:
-system:masters
- rolearn: arn:aws:iam::xxxxxxxxxxxx:user/zzzzz
username: zzzzzz
groups:
-system:masters
Events: <none
I have this in the controlplane authenticator logs :
time="2020-12-23T10:46:15Z" level=warning msg="access denied"
arn="arn:aws:iam::xxxxxxxxxx:user/yyyyy" client="127.0.0.1:37622"
error="ARN is not mapped: arn:aws:iam::xxxxxxxxxxxx:user/yyyyyyy"
method=POST path=/authenticate sts=sts.amazonaws.com
I don't get since it's mapped as stated in the configmap file.
Issues are finally fixed. I have modified the configmap to use userarn instead of rolearn, which is the way it should always be done, and then I had to create the clusterrolebinding for both users. What I still don't get is why/how it has previously worked for the first user who has rolearn and no clusterrolebinding ....