Skip to content

Admin Configuration

AWS EKS automatically grants system:masters permissions to the IAM user or role that created the cluster. To grant additional users or roles access to manage the cluster, edit the aws-auth Kubernetes ConfigMap.

The following instructions add additional users with system:masters permissions.

Use fine-grained permissions for production applications

For more information managing roles and users in your EKS cluster, see Amazon EKS Grant IAM users and roles access to Kubernetes APIs.

Add Additional Users with system:masters Permissions⚓︎

Use the IAM user or role that created the cluster to make these changes to the aws-auth ConfigMap within Kubernetes.

Use the following command to view the current config map:

kubectl describe configmap -n kube-system aws-auth

Use the following command to edit the config map:

kubectl edit -n kube-system configmap/aws-auth

This will open the config map in your default editor. It should look something like the following:

## Please edit the object below. Lines beginning with a '#' will be ignored,
## and an empty file will abort the edit. If an error occurs while saving this file will be
## reopened with the relevant failures.
#
apiVersion: v1
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::11222344566:role/eksctl-my-special-cluster-nodegroup-NodeInstanceRole-A1234567
      username: system:node:{{EC2PrivateDNSName}}
kind: ConfigMap
metadata:
  creationTimestamp: "2022-06-27T12:48:43Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "1292877"
  uid: 1111-2222-3333-4444-5555

To add users, add the following section under the mapRoles key. You will need Amazon Resource Names (ARNs) and usernames for each user you wish to add:

1
2
3
4
5
6
7
8
9
mapUsers: |
   -  userarn: arn:aws:iam::11122223333444:user/myuser@mysite.com
      username: myuser@mysite.com
      groups:
      - system:masters
   -  userarn: arn:aws:iam::111222233334448:user/anotheruser@mysite.com
      username: anotheruser@mysite.com
      groups:
      - system:masters

After adding users, your aws-auth ConfigMap will look something like the following:

## Please edit the object below. Lines beginning with a '#' will be ignored,
## and an empty file will abort the edit. If an error occurs while saving this file will be
## reopened with the relevant failures.
#
apiVersion: v1
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::11222344566:role/eksctl-my-special-cluster-nodegroup-NodeInstanceRole-A1234567
      username: system:node:{{EC2PrivateDNSName}}
  mapUsers: |
   -  userarn: arn:aws:iam::11122223333444:user/myuser@mysite.com
      username: myuser@mysite.com
      groups:
      - system:masters
   -  userarn: arn:aws:iam::111222233334448:user/anotheruser@mysite.com
      username: anotheruser@mysite.com
      groups:
      - system:masters
kind: ConfigMap
metadata:
  creationTimestamp: "2022-06-27T12:48:43Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "1292877"
  uid: 1111-2222-3333-4444-5555

Save and close the editor to persist the changes. The newly added users now have access to your cluster.