How to Grant Cluster Access

You can access your cluster using AWS IAM users or roles in the dashboard. When you create an EKS cluster, the IAM entity is granted system:masters permissions in the cluster’s role-based access control (RBAC) configuration in the control plane as discussed in the IAM Policies page. To grant access that is not administrative level, see below.

Amazon EKS cluster IAM user or role access

Access to your cluster can be granted at various levels. To determine which credentials kubectl is using to access your cluster, use the following command. Replace~/.kube/config with the path to your kubeconfig file if you don't use the default path.

cat ~/.kube/config
CODE

The example output is as follows:

...
contexts:
- context:
    cluster: my-cluster.region-code.eksctl.io
    user: admin@my-cluster.region-code.eksctl.io
  name: admin@my-cluster.region-code.eksctl.io
current-context: admin@my-cluster.region-code.eksctl.io
...
CODE

In the previous example, the credentials for a user named admin are configured for a cluster named my-cluster. If this is the user that created the cluster, it already has access to your cluster. If it is not, then you may want to enable cluster access for other users. You can see which other roles or users currently have access to your cluster with the following command:

kubectl describe -n kube-system configmap/aws-auth
CODE

The example output is as follows.

Name:         aws-auth
Namespace:    kube-system
Labels:       <none>
Annotations:  <none>

Data
====
mapRoles:
----
- groups:
  - system:bootstrappers
  - system:nodes
  rolearn: arn:aws:iam::111122223333:role/my-node-role
  username: system:node:{{EC2PrivateDNSName}}


BinaryData
====

Events:  <none>
CODE

For further instructions on changing or assigning roles or clusterroles to which you can map IAM users or roles, see Amazon Enabling IAM access to your cluster.