Add Cluster Admins

AWS EKS automatically grants system:masters permissions to the IAM user or role that created the cluster. To grant additional users or roles access to manage the cluster, edit the aws-auth Kubernetes ConfigMap.

The following instructions add additional users with system:masters permissions.

🚧

For production applications, use fine-grained role-based permissions. For more information about adding roles and users to your EKS cluster, see the AWS EKS add-user-role documentation.

Add Additional Users with system:masters Permissions

Use the IAM user or role that created the cluster to make these changes to the aws-auth ConfigMap within Kubernetes.

Use the following command to view the current config map:

kubectl describe configmap -n kube-system aws-auth

Use the following command to edit the config map:

kubectl edit -n kube-system configmap/aws-auth

This will open the config map in your default editor. It should look something like the following:

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::11222344566:role/eksctl-my-special-cluster-nodegroup-NodeInstanceRole-A1234567
      username: system:node:{{EC2PrivateDNSName}}
kind: ConfigMap
metadata:
  creationTimestamp: "2022-06-27T12:48:43Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "1292877"
  uid: 1111-2222-3333-4444-5555

To add users, add the following section under the mapRoles key. You will need Amazon Resource Names (ARNs) and usernames for each user you wish to add:

mapUsers: |
   -  userarn: arn:aws:iam::11122223333444:user/[email protected]
      username: [email protected]
      groups:
      - system:masters
   -  userarn: arn:aws:iam::111222233334448:user/[email protected]
      username: [email protected]
      groups:
      - system:masters

After adding users, your aws-auth ConfigMap will look something like the following:

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::11222344566:role/eksctl-my-special-cluster-nodegroup-NodeInstanceRole-A1234567
      username: system:node:{{EC2PrivateDNSName}}
  mapUsers: |
   -  userarn: arn:aws:iam::11122223333444:user/[email protected]
      username: [email protected]
      groups:
      - system:masters
   -  userarn: arn:aws:iam::111222233334448:user/[email protected]
      username: [email protected]
      groups:
      - system:masters
kind: ConfigMap
metadata:
  creationTimestamp: "2022-06-27T12:48:43Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "1292877"
  uid: 1111-2222-3333-4444-5555

Save and close the editor to persist the changes. The newly added users now have access to your cluster.