Reputation: 537
aws sso and EKS rbac access denied
I'm trying to configure AWS sso access my EKS clusters that are in a child account that I'm an admin to. I'm referencing this document and this stack posting. But keep getting RBAC errors when I log in with SSO to the child account. How do I properly configure this? I still have IAM access enabled at the moment.
Error in console:
Your current user or role does not have access to Kubernetes objects on this EKS cluster
This may be due to the current user or role not having Kubernetes RBAC permissions to describe cluster resources or not having an entry in the cluster’s auth config map.
Roles:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: default:sso-admin
namespace: default
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
ConfigMap:
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapUsers: |
- rolearn: arn:aws:iam::xxxxx:role/AWSReservedSSOxxxxx
username: me:{{SessionName}}
groups:
- default:sso-admin
Upvotes: 1
Views: 2993
Answers (1)
Reputation: 13938
A solution for this issue is well described in the official docs:
Short description
You receive this error when you use the AWS Management Console with an AWS Identity and Access Management (IAM) role or user that's not in your Amazon EKS cluster's aws-auth ConfigMap.
When you create an Amazon EKS cluster, the IAM user or role (such as a federated user that creates the cluster) is automatically granted system:masters permissions in the cluster's RBAC configuration. If you access the Amazon EKS console and your IAM user or role isn't part of the aws-auth ConfigMap, then you can't see your Kubernetes workloads or overview details for the cluster.
To grant additional AWS users or roles the ability to interact with your cluster, you must edit the aws-auth ConfigMap within Kubernetes.
Resolution
Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.
You can follow the steps described there in order to solve your problem.
Upvotes: 2
Related Questions
- kubectl error You must be logged in to the server (Unauthorized) when accessing EKS cluster
- How can I grant eks cluster permission to aws sso user?
- aws eks and aws sso RBAC authentication problem
- AWS EKS Lost access to cluster
- use AWS Secrets & Configuration Provider for EKS: Error from server (BadRequest)
- AWS SSO authorization for EKS fails to call sts:AssumeRole
- AWS eks user gets error: You must be logged in to the server (Unauthorized)
- AWS EKS "is not authorized to perform: iam:CreateServiceLinkedRole"
- EKS not able to authenticate to Kubernetes with Kubectl - "User: is not authorized to perform: sts:AssumeRole"
- EKS Kubernetes user with RBAC seen as system:anonymous