By adding the account to the mapAccounts
section in the aws-auth
config map you only get authentication.
This means kubernetes will assign your IAM-user's arn -something like: arn:aws:iam::111111111111:user/myIAMUser- to the kubernete's username
but you don't get any rights to do anything, not even listing pods.
Additionally you would have to create (Cluster)RoleBindings to give the rights to the user.
For example, to give the previous user read-only access to all namespaces we create a ClusterRoleBinding
containing the following:
# This role binding allows the user to read in all namespaces.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: myIAMUser-readOnly
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: arn:aws:iam::111111111111:user/myIAMUser
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
More information about the user facing roles defined in kubernetes can be found in the documentation.
Another possible solution would be to edit the mapUsers
section in the aws-auth
config map. I don't like this approach because you have to modify the aws-auth
config map each time you want to add a user and you could, by mistake, modify other parts of the file or corrupt the contents. Also adding or deleting role bindings is easier to automatize than editing an existing file.
More information about the format of the aws-auth
config map can be found here.
---UPDATE---
Instead of creating cluster role bindings for every user you can just make use of the system:authenticated
group like this:
# This role binding allows the user to read in all namespaces.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: authenticatedUsers-readOnly
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
By the way, that cluster role binding can be created like this: kubectl create clusterrolebinding authenticatedUsers-readOnly --clusterrole=view --group=system:authenticated
.
You could even not touch the aws-auth
config map at all -no need to modify the mapAccounts
- and create a cluster role binding with read only permissions for authenticated and unauthenticated users by issuing: kubectl create clusterrolebinding authenticatedUsers-readOnly --clusterrole=view --group=system:authenticated --group=system:unauthenticated