AWS k8s auth - /s (strangemonad's notes)

# [[AWS k8s auth]] IAM is only used for identity verification. Roles and permissions are managed via [k8s RBAC authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/). The IAM user that created the EKS cluster is granted `system:masters` permissions (in the cluster's RBAC config control plane). That IAM identity doesn't exist in any `ConfigMap`. Any other user you want to give access to needs to be added to the `aws-auth` `ConfigMap`. ^[[Managing users or IAM roles for your cluster - Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html)] ^[[Getting started with Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html)] ## `kubectl` and aws-cli Authenticating access to an eks cluster to use `kubectl` assumes you can run [[AWS Auth | authenticated asw cli]] commands. Run `aws sts get-caller-identity` to verify you're authenticated in the current shell. Running `aws eks --region <region-code> update-kubeconfig --name <cluster_name>` creates a `kubeconfig` for the `<cluster_name>` EKS cluster. This will update (or create) your `kubeconfig` file [^config] with a `user` defined to call the `aws eks get-token` command to get the appropriate credentials for the user currently authenticated in the shell. The [[AWS Auth| active]] `AWS_PROFILE` name is captured in the `kubeconfig` when running the `aws eks update-kubeconfig` command. This means the cluster will be authenticated into using a consistent user (no need to have your shell set to the same profile) but renaming your aws profile will cause `aws eks get-token` to fail and you'll need to run `update-kubeconfig` again. ^[You can also manually create a `kubeconfig` that has the same information and calls either the newer `aws eks get-token` or the older, standalone `aws-iam-authenticator` cli.] [^config]: a `yaml` file at `~/.kube/config` that contains a `kind: Config` with sections defining - `clusters` (the cluster api server url and identity cert)] - `users` (how to authenticate as a specific identity) - `context` (mapping a `cluster` to a `user`)] ### Refresh an aws sso session If you see a message like the following your SSO session credentials have expired. ``` > kubectl get svc The SSO session associated with this profile has expired or is otherwise invalid. To refresh this SSO session run aws sso login with the corresponding profile. ... ``` To refresh your credentials run ``` aws sso login --profile <PROFILE_NAME> kubectl get ``` ## References - [Cluster authentication - Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/managing-auth.html) user guide. - `kubeconfig` [Configure Access to Multiple Clusters | Kubernetes](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/) --- - Links: [[AWS]] [[Kubernetes|k8s]] - Created at: [[2021-04-02]]