Skip to content

Admin Configuration

AWS EKS automatically grants system:masters permissions to the IAM user or role that created the cluster. To grant additional users or roles access to manage the cluster, edit the aws-auth Kubernetes ConfigMap.

The following instructions add additional users with system:masters permissions.

For production applications, use fine-grained role-based permissions. For more information about adding roles and users to your EKS cluster, see the AWS EKS add-user-role documentation.

Add Additional Users with system:masters Permissions⚓︎

Use the IAM user or role that created the cluster to make these changes to the aws-auth ConfigMap within Kubernetes.

Use the following command to view the current config map:

1
kubectl describe configmap -n kube-system aws-auth

Use the following command to edit the config map:

1
kubectl edit -n kube-system configmap/aws-auth

This will open the config map in your default editor. It should look something like the following:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
## Please edit the object below. Lines beginning with a '#' will be ignored,
## and an empty file will abort the edit. If an error occurs while saving this file will be
## reopened with the relevant failures.
#
apiVersion: v1
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::11222344566:role/eksctl-my-special-cluster-nodegroup-NodeInstanceRole-A1234567
      username: system:node:{{EC2PrivateDNSName}}
kind: ConfigMap
metadata:
  creationTimestamp: "2022-06-27T12:48:43Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "1292877"
  uid: 1111-2222-3333-4444-5555

To add users, add the following section under the mapRoles key. You will need Amazon Resource Names (ARNs) and usernames for each user you wish to add:

1
2
3
4
5
6
7
8
9
mapUsers: |
   -  userarn: arn:aws:iam::11122223333444:user/myuser@mysite.com
      username: myuser@mysite.com
      groups:
      - system:masters
   -  userarn: arn:aws:iam::111222233334448:user/anotheruser@mysite.com
      username: anotheruser@mysite.com
      groups:
      - system:masters

After adding users, your aws-auth ConfigMap will look something like the following:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
## Please edit the object below. Lines beginning with a '#' will be ignored,
## and an empty file will abort the edit. If an error occurs while saving this file will be
## reopened with the relevant failures.
#
apiVersion: v1
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::11222344566:role/eksctl-my-special-cluster-nodegroup-NodeInstanceRole-A1234567
      username: system:node:{{EC2PrivateDNSName}}
  mapUsers: |
   -  userarn: arn:aws:iam::11122223333444:user/myuser@mysite.com
      username: myuser@mysite.com
      groups:
      - system:masters
   -  userarn: arn:aws:iam::111222233334448:user/anotheruser@mysite.com
      username: anotheruser@mysite.com
      groups:
      - system:masters
kind: ConfigMap
metadata:
  creationTimestamp: "2022-06-27T12:48:43Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "1292877"
  uid: 1111-2222-3333-4444-5555

Save and close the editor to persist the changes. The newly added users now have access to your cluster.