Add Cluster Admins
AWS EKS automatically grants system:masters
permissions to the IAM user or role that created the cluster. To grant additional users or roles access to manage the cluster, edit the aws-auth
Kubernetes ConfigMap
.
The following instructions add additional users with system:masters
permissions.
For production applications, use fine-grained role-based permissions. For more information about adding roles and users to your EKS cluster, see the AWS EKS add-user-role documentation.
Add Additional Users with system:masters
Permissions
system:masters
PermissionsUse the IAM user or role that created the cluster to make these changes to the aws-auth
ConfigMap
within Kubernetes.
Use the following command to view the current config map:
kubectl describe configmap -n kube-system aws-auth
Use the following command to edit the config map:
kubectl edit -n kube-system configmap/aws-auth
This will open the config map in your default editor. It should look something like the following:
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::11222344566:role/eksctl-my-special-cluster-nodegroup-NodeInstanceRole-A1234567
username: system:node:{{EC2PrivateDNSName}}
kind: ConfigMap
metadata:
creationTimestamp: "2022-06-27T12:48:43Z"
name: aws-auth
namespace: kube-system
resourceVersion: "1292877"
uid: 1111-2222-3333-4444-5555
To add users, add the following section under the mapRoles
key. You will need Amazon Resource Names (ARNs) and usernames for each user you wish to add:
mapUsers: |
- userarn: arn:aws:iam::11122223333444:user/[email protected]
username: [email protected]
groups:
- system:masters
- userarn: arn:aws:iam::111222233334448:user/[email protected]
username: [email protected]
groups:
- system:masters
After adding users, your aws-auth
ConfigMap
will look something like the following:
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::11222344566:role/eksctl-my-special-cluster-nodegroup-NodeInstanceRole-A1234567
username: system:node:{{EC2PrivateDNSName}}
mapUsers: |
- userarn: arn:aws:iam::11122223333444:user/[email protected]
username: [email protected]
groups:
- system:masters
- userarn: arn:aws:iam::111222233334448:user/[email protected]
username: [email protected]
groups:
- system:masters
kind: ConfigMap
metadata:
creationTimestamp: "2022-06-27T12:48:43Z"
name: aws-auth
namespace: kube-system
resourceVersion: "1292877"
uid: 1111-2222-3333-4444-5555
Save and close the editor to persist the changes. The newly added users now have access to your cluster.
Updated about 2 months ago