This question is essentially a duplicate of Adding IAM Group to aws-auth configmap in AWS EKS. However, the question does not have an accepted answer and I would like to provide more context.
I know that aws-auth ConfigMap object does not allow mapping AWS Group directly. A workaround would be to map an AWS Role instead. I tried that but were unable to get it working. Mapping an AWS User works without issues.
I setup an AWS Role arn:aws:iam::027755483893:role/development-readwrite with account 027755483893 as being the trusted entity and attached the following trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::027755483893:root"
},
"Action": "sts:AssumeRole"
}
]
}
I setup an AWS Group arn:aws:iam::027755483893:group/development-readwrite and attached the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::027755483893:role/development-readwrite"
]
}
]
}
I setup the aws-auth ConfigMap as follows:
apiVersion: v1
data:
mapRoles: |
# Other mappings omitted for clarity
- groups:
- system:masters
rolearn: arn:aws:iam::027755483893:role/development-readwrite
mapUsers: |
[]
kind: ConfigMap
metadata:
creationTimestamp: "2019-08-21T08:25:15Z"
name: aws-auth
namespace: kube-system
resourceVersion: "62031092"
selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
uid: 33b33620-c3ed-11e9-83c0-029bc9dcca16
However, none of the users in the group have access to the cluster. Do the users need to explicitly assume role? Is there anything else I'm missing?
