Reputation: 2011
How to allow federated users to access k8s cluster
A user is accessing aws using saml federated. I need to give him K9s access. IAM role has trusted entities , and k8s read policy with accessKubernetesApi. IAM role
IAM role arn:
arn:aws:iam::123456789:role/CT/PUsers
Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"eks:ListFargateProfiles",
"eks:ListNodegroups",
"eks:ListTagsForResource",
"eks:DescribeIdentityProviderConfig",
"eks:ListUpdates",
"eks:DescribeUpdate",
"eks:AccessKubernetesApi",
"eks:ListAddons",
"eks:DescribeCluster",
"eks:ListIdentityProviderConfigs"
],
"Resource": [
"arn:aws:eks:us-east-1:123456789:cluster/cluster-name",
"arn:aws:eks:*:123456789:identityproviderconfig/*/*/*/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"eks:ListClusters",
"eks:DescribeAddonVersions"
],
"Resource": "*"
}
]
Err: kubectl version
Client Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.1", GitCommit:"5e58841cce77d4bc13713ad2b91fa0d961e69192", GitTreeState:"archive", BuildDate:"1980-01-01T00:00:00Z", GoVersion:"go1.16.4", Compiler:"gc", Platform:"darwin/amd64"} error: You must be logged in to the server (the server has asked for the client to provide credentials)
His kubeconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: xxxxxxx
server: https://xxxxxx.gr7.us-east-1.eks.amazonaws.com
name: arn:aws:eks:us-east-1:123456789:cluster/amp-eks18
contexts:
- context:
cluster: arn:aws:eks:us-east-1:123456789:cluster/cluster-name
user: arn:aws:eks:us-east-1:123456789:cluster/cluster-name
name: stage18
current-context: stage18
kind: Config
preferences: {}
users:
- name: arn:aws:eks:us-east-1:123456789:cluster/amp-eks18
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- us-east-1
- eks
- get-token
- --cluster-name
- cluster-name
command: aws
env: null
aws sts get-caller-identity
{
"UserId": "xxxxxxxxxxxxxx:[email protected]",
"Account": "123456789",
"Arn": "arn:aws:sts::123456789:assumed-role/PUsers/[email protected]"
}
RBAC
Data
====
mapRoles:
----
- groups:
- xx:developers
rolearn: arn:aws:sts::123456789:assumed-role/PUsers/[email protected]
username: [email protected]
IAM credentials are generated from https://github.com/Nike-Inc/gimme-aws-creds
[DEFAULT]
okta_org_url = https://xxxx.okta.com
okta_auth_server =
client_id =
gimme_creds_server = appurl
aws_appname =
aws_rolename =
write_aws_creds = True
cred_profile = ihm
okta_username = [email protected]
app_url = https://xxxx.okta.com/home/amazon_aws/xxxxx/272
resolve_aws_alias = True
include_path = True
preferred_mfa_type = push
remember_device = True
aws_default_duration = 28800
device_token =
output_format = export
Can someone point me what i'm missing.
Upvotes: 0
Views: 1879
Answers (1)
Reputation: 1435
you need to create RBACs in your cluster and map it to IAM role that user is assuming. you can read more here
Upvotes: 2
Related Questions
- Terraform enable EKS cluster access for other IAM users
- How can I map IAM group to EKS cluster in AWS?
- User cannot log into EKS Cluster using kubectl
- Give all users of an AWS account access to an EKS cluster
- How to allow an assume role connect from EC2 to EKS on AWS?
- Permissions to READ EKS cluster from EC2
- Access remote EKS cluster from an EKS pod, using an assumed IAM role
- kubectl authentication to aws eks cluster
- Enabling AWS Group to access AWS EKS cluster
- AWS EKS - Create cluster minimum IAM permissions (AccessDenied)