introduction
When you want your users in IAM to access EKS cluster in another account, its very simple to do via cross account role.
This assumes you have already created the role in account B to users in account A.
steps to access EKS in second account
- first make sure you have a IAM role
cross-account-role
created in Account B and having added trusted relationship for users in that you would like to from account A to access it. - Once thats done , make sure you have access to the EKS cluster in account B(this needs to be done in order to edit the permissions of EKS).
-
now edit the
aws-auth
configmap of that EKS cluster as:
kubectl edit -n kube-system configmaps aws-auth
-
add following lines under
mapRoles
to add therole
created in step#1:
- "groups": - "system:masters" - "system:nodes" "rolearn": "arn:aws:iam::Account B:role/cross-account-role"
-
try setting the new
cross-account
for account B in~/.aws/credentials
:
[account-B] role_arn = arn:aws:iam::Account B:role/cross-accountrole region = us-west-2 source_profile = account-A
-
export this profile on terminal and add the EKS cluster config :
export AWS_PROFILE=account-B aws eks update-kubeconfig --name name-of-eks-cluster-in-account-B
-
try running kubectl now:
kubectl get ns kubectl get pods
Top comments (0)