K
Q

User cannot log into EKS Cluster using kubectl

12/28/2021

I am trying to host an application in AWS Elastic Kubernetes Service(EKS). I have configured the EKS cluster using the AWS Console using an IAM user (user1). Configured the Node Group and added a Node to the EKS Cluster and everything is working fine.

In order to connect to the cluster, I had spin up an EC2 instance (Centos7) and configured the following:

1. Installed docker, kubeadm, kubelet and kubectl.
2. Installed and configured AWS Cli V2.

I had used the AWS_ACCESS_KEY_ID and AWS_SECRET_KEY_ID of user1 to configure AWS Cli from within the EC2 Instance in order to connect to the cluster using kubectl.

I ran the below commands in order to connect to the cluster as user1:

1. aws sts get-caller-identity
2. aws eks update-kubeconfig --name trojanwall --region ap-south-1

I am able to do each and every operations in the EKS cluster as user1.

However, I have now create a new user named 'user2' and I have replaced the current AWS_ACCESS_KEY_ID and AWS_SECRET_KEY_ID with that of user2. Did the same steps and when I try to run 'kubectl get pods', I am getting the following error:

enter image description here

error: You must be logged in to the server (Unauthorized)

Result after running kubectl describe configmap -n kube-system aws-auth as user1:

Name:         aws-auth
Namespace:    kube-system
Labels:       <none>
Annotations:  <none>

Data
====
mapRoles:
----
- groups:
  - system:bootstrappers
  - system:nodes
  rolearn: arn:aws:iam::XXXXXXXXXXXX:role/AWS-EC2-Role
  username: system:node:{{EC2PrivateDNSName}}


BinaryData
====

Events:  <none>

Does anyone know how to resolve this?

-- arjunbnair
amazon-eks
amazon-iam
amazon-web-services
kubernetes
linux

Similar Questions

Create Kubernetes Pod Network Map
How to Copy files from kubernetes infra node to worker node?
Is it possible let 2 services (for 2 different pods) listen on different network interfaces in a Kubernetes 1.17 cluster?
How to run kubernetes service in web browser?
status ErrImageNeverPull unable to set up kubernetes dashboard on Mac

1 Answer

12/28/2021

When you create an EKS cluster, only the user that created a cluster has access to it. In order to allow someone else to access the cluster, you need to add that user to the aws-auth. To do this, in your data section, add 

mapUsers: |
  - userarn: arn:was:iam::<your-account-id>:user/<your-username>
    username: <your-username>
    groups:
      - systems:masters

You can use different groups, based on the rights you want to give to that user.

If you don't already have a config map on your machine: 1. Download the config map curl -o aws-auth-cm.yaml https://amazon-eks.s3.us-west-2.amazonaws.com/cloudformation/2020-10-29/aws-auth-cm.yaml 2. Replace default values with your values (role arn, username, account id...) 3. add the mapUsers section as described above 4. from terminal execute kubectl apply -f aws-auth-cm.yaml

You can also follow steps from the documentation (it's more detailed)

-- Caldazar
Source: StackOverflow