How to manage EKS cluster with a user that is not the original creator?

0
votes

EKS cluster has an odd property which is that

When an Amazon EKS cluster is created, the IAM entity (user or role) that creates the cluster is added to the Kubernetes RBAC authorization table as the administrator (with system:master permissions). Initially, only that IAM user can make calls to the Kubernetes API server using kubectl.

source

I have an EKS cluster. The user which originally created it was ephemeral (my organization uses SSO to manage AWS resources and the IAM entity that creates resources is ephemerally created as-needed then destroyed).

Does this mean I am permanently locked out of managing the EKS cluster via kubectl?

2
amazon-web-serviceskuberneteskubectlamazon-eks

2 Answers

3
votes

One workaround (hacky) is that if you create an IAM user with the same name as the IAM user that created the EKS cluster, you will be allowed to manage the EKS cluster via kubectl.

1
votes

If the ephemeral IAM user that was used to create the cluster has already been deleted, then your solution to recreate that user is probably necessary.

But once you have access to the cluster again (or for those who are just looking to add access for another user), you can add IAM roles by editing the aws-auth ConfigMap that EKS creates. When the EKS cluster is created, it adds the creating IAM user to the ConfigMap.

From https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html

To grant additional AWS users or roles the ability to interact with your cluster, you must edit the aws-auth ConfigMap within Kubernetes.