Starting from a ~empty AWS account, I am trying to follow https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html
So that meant I created a VPS stack, then installed aws-iam-authenticator, awscli and kubectl, then created an IAM user with Programmatic access and AmazonEKSAdminPolicy directly attached.
Then I used the website to create my EKS cluster and used aws configure
to set the access key and secret of my IAM user.
aws eks update-kubeconfig --name wr-eks-cluster
worked fine, but:
kubectl get svc
error: the server doesn't have a resource type "svc"
I continued anyway, creating my worker nodes stack, and now I'm at a dead-end with:
kubectl apply -f aws-auth-cm.yaml
error: You must be logged in to the server (the server has asked for the client to provide credentials)
aws-iam-authenticator token -i <my cluster name>
seems to work fine.
The thing I seem to be missing is that when you create the cluster you specify an IAM role, but when you create the user (according to the guide) you attach a policy. How is my user supposed to have access to this cluster?
Or ultimately, how do I proceed and gain access to my cluster using kubectl?
Short description. After you create your Amazon EKS cluster, you must configure your kubeconfig file with the AWS Command Line Interface (AWS CLI). This configuration allows you to connect to your cluster using the kubectl command line.
Open the Amazon EKS console at https://console.aws.amazon.com/eks/home#/clusters . Choose the name of the cluster to display your cluster information. Choose the Networking tab and choose Update. For Private access, choose whether to enable or disable private access for your cluster's Kubernetes API server endpoint.
system:master
permissions, and it's enough to get kubectl
working. You need to use this user credentials (AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
) to access the cluster. In case you didn't create a specific IAM user to create a cluster, then you probably created it using root AWS account. In this case, you can use root user credentials (Creating Access Keys for the Root User).aws-auth
ConfigMap in your cluster – it contains IAM entities -> kubernetes ServiceAccount mapping.I'm not sure about how do you pass credentials for the aws-iam-authenticator
:
~/.aws/credentials
with aws_profile_of_eks_iam_creator
then you can try $ AWS_PROFILE=aws_profile_of_eks_iam_creator kubectl get all --all-namespaces
$ AWS_ACCESS_KEY_ID=XXX AWS_SECRET_ACCESS_KEY=YYY AWS_DEFAULT_REGION=your-region-1 kubectl get all --all-namespaces
Both of them should work, because kubectl ...
will use generated ~/.kube/config
that contains aws-iam-authenticator token -i cluster_name
command. aws-iam-authenticator
uses environment variables or ~/.aws/credentials
to give you a token.
Also, this answer may be useful for the understanding of the first EKS user creation.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With