AWS eks user gets error: You must be logged in to the server (Unauthorized)

12/23/2020

I have now spent 2 hours and a half trying to fix an issue which is driving me crazy. I have created an EKS cluster. Then I have created 2 users in AWS IAM with an eks_admin role. Once done, I updated the aws-auth configmap to add the 2 users. The issue is that it works for a user but not for the second one !!

I have dug in aws doc, on stackoverflow .... Some say that it's not sufficient to create the configmap one has also to create a clusterrolebing for the newly created users. The issue is that I did not create the binding for the first user and it works. I have tried to create it for the second one and no luck. when I issue an aws eks get-token I get one.

Can anyone try to point me in the right direction ? I'm on the edge of losing my nerves .... Here's the configmap I have :

Name:         aws-auth
Namespace:    kube-system
Labels:       <none>
Annotations:  <none>

Data
====
mapRoles:
----
- rolearn: arn:aws:iam::xxxxxxxxxxxxx:role/k8s-nodegroup-NodeInstanceRole-xxxxxxxxxxxxx 
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes

mapUsers:
----
- rolearn: arn:aws:iam::xxxxxxxxxx:user/yyyyyy
username: yyyyyy
groups:
-system:masters
- rolearn: arn:aws:iam::xxxxxxxxxxxx:user/zzzzz
username: zzzzzz
groups:
-system:masters

Events:  <none

I have this in the controlplane authenticator logs :

time="2020-12-23T10:46:15Z" level=warning msg="access denied" 
arn="arn:aws:iam::xxxxxxxxxx:user/yyyyy" client="127.0.0.1:37622" 
error="ARN is not mapped: arn:aws:iam::xxxxxxxxxxxx:user/yyyyyyy" 
method=POST path=/authenticate sts=sts.amazonaws.com

I don't get since it's mapped as stated in the configmap file.

-- moulip
amazon-eks
amazon-web-services
configmap
kubernetes
user-permissions

1 Answer

12/23/2020

Issues are finally fixed. I have modified the configmap to use userarn instead of rolearn, which is the way it should always be done, and then I had to create the clusterrolebinding for both users. What I still don't get is why/how it has previously worked for the first user who has rolearn and no clusterrolebinding ....

-- moulip
Source: StackOverflow