Adding EKS Cluster Admins

When creating a cluster within AWS EKS the IAM user or role that created the cluster is automatically granted system:masters permissions in the clusters RBAC (role-based access control). To grant additional users or roles access to manage the cluster you will need to edit the aws-auth ConfigMap within Kubernetes.

📘

More Information

A full description of how to add roles/users to your EKS cluster can be found in the AWS documentation EKS add-user-role.

To get your started, the following instructions are provided to add additional users with system:masters permissions. Note it is advised that role based permissions are used in production contexts.

The user/role that created the cluster will need to make the changes to the aws-auth ConfigMap within Kubernetes.

To see the current config map you can use the following command

kubectl describe configmap -n kube-system aws-auth

To edit the ConfigMap

kubectl edit -n kube-system configmap/aws-auth

This will open an editor that is similar to the following:

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::11222344566:role/eksctl-my-special-cluster-nodegroup-NodeInstanceRole-A1234567
      username: system:node:{{EC2PrivateDNSName}}
kind: ConfigMap
metadata:
  creationTimestamp: "2022-06-27T12:48:43Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "1292877"
  uid: 1111-2222-3333-4444-5555
~

To add users you can add the following section under the mapRoles, note you will need the ARN's and usernames for each user you wish to add.

mapUsers: |
   -  userarn: arn:aws:iam::11122223333444:user/[email protected]
      username: [email protected]
      groups:
      - system:masters
   -  usearn: arn:aws:iam::111222233334448:user/[email protected]
      username: [email protected]
      groups:
      - system:masters

Once added your aws-auth ConfigMap will looks similar to the following:

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::11222344566:role/eksctl-my-special-cluster-nodegroup-NodeInstanceRole-A1234567
      username: system:node:{{EC2PrivateDNSName}}
  mapUsers: |
   -  userarn: arn:aws:iam::11122223333444:user/[email protected]
      username: [email protected]
      groups:
      - system:masters
   -  usearn: arn:aws:iam::111222233334448:user/[email protected]
      username: [email protected]
      groups:
      - system:masters
kind: ConfigMap
metadata:
  creationTimestamp: "2022-06-27T12:48:43Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "1292877"
  uid: 1111-2222-3333-4444-5555

Saving and closing the editor will then make the change to your cluster to allow access for the additional users.

For additional information please take a look at the AWS documentation here - EKS add-user-role.