Grant Cluster Access
How to Grant EKS Cluster Access
You can access your cluster using AWS IAM roles in the dashboard. When you create an EKS cluster, the IAM entity is granted system:masters
permissions in Kubernetes Role Based Access Control (RBAC) configuration.
More information about the configuration of the EKS control plane can be found on the EKS Cluster IAM Policies and Roles page.
If the EKS cluster was created as a cluster using a self-managed AWS cluster that uses IAM Instance Profiles, you will need to modify the IAMAuthenticatorConfig
field in the AWSManagedControlPlane
API object to allow other IAM entities to access the EKS workload cluster. Follow the steps below:
Run the following command with your
KUBECONFIG
configured to select the self-managed cluster previously used to create the workload EKS cluster. Ensure you substitute${CLUSTER_NAME}
and${CLUSTER_NAMESPACE}
with their corresponding values for your cluster.CODEkubectl edit awsmanagedcontrolplane ${CLUSTER_NAME}-control-plane -n ${CLUSTER_NAMESPACE}
Edit the
IamAuthenticatorConfig
field with the IAM Role to the corresponding Kubernetes Role. In this example, the IAM rolearn:aws:iam::111122223333:role/PowerUser
is granted the cluster rolesystem:masters
. Note that this example uses example AWS resource ARNs, so these values should be substituted for real values in the corresponding AWS account.CODEiamAuthenticatorConfig: mapRoles: - groups: - system:bootstrappers - system:nodes rolearn: arn:aws:iam::111122223333:role/my-node-role username: system:node:{{EC2PrivateDNSName}} - groups: - system:masters rolearn: arn:aws:iam::111122223333:role/PowerUser username: admin
For further instructions on changing or assigning roles
or clusterroles
to which you can map IAM users or roles, see Amazon Enabling IAM access to your cluster.