DEV Community

Cover image for Secure human Identity and access management for AWS EKS with SSO
Uri Peled
Uri Peled

Posted on • Edited on

Secure human Identity and access management for AWS EKS with SSO

AWS-EKS-IAM

Start with the basics:

AWS Identity and Access Management (IAM) provides fine-grained access control across all of AWS. With IAM, you can specify who can access which services and resources, and under which conditions.

AWS Single Sign-On (AWS SSO) is a cloud service that allows you to grant your users access to AWS resources, such as Amazon EC2 instances, across multiple AWS accounts

Amazon Elastic Kubernetes Service (Amazon EKS) is a managed service that you can use to run Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes.

Role-based access control (RBAC) is a method of restricting network access based on the roles of individual users within an enterprise.

Authentication to your Kubernetes cluster

Amazon EKS uses IAM to provide authentication to your Kubernetes cluster (through the aws eks get-token command, available in version 1.16.156 or later of the AWS CLI, or the AWS IAM Authenticator for Kubernetes), but it still relies on native Kubernetes Role Based Access Control (RBAC) for authorization.

RBAC

The below should help you configure AWS EKS with SSO:

  • Ensure the cluster admin or whoever has access to run kubectl commands adds the SSO role to the aws-auth ConfigMap (this is used to manage access on the cluster):
 kubectl create configmap my-config-aws-auth --from-file=path/to/file/aws-auth.properties
Enter fullscreen mode Exit fullscreen mode

The file "aws-auth.properties" can look like this

apiVersion: v1 
kind: ConfigMap 
metadata: 
  name: aws-auth 
  namespace: kube-system 
data: 
  mapRoles: | 
    - rolearn: arn:aws:iam::11122223333:role/EKS-DevOpsAdmin 
      username: system:node:{{EC2PrivateDNSName}} 
      groups: 
        - system:bootstrappers 
        - system:nodes 
  mapUsers: | 
    - userarn: arn:aws:iam::11122223333:user/designated_user 
      username: designated_user 
      groups: 
        - system:masters
Enter fullscreen mode Exit fullscreen mode
  • Ensure you are logged into the SSO role from your CLI/Shell/CMD. Run ($ 'aws sts get-caller-identity' ) to verify

  • Ensure that the SSO role has access to run eks:DescribeCluster on the cluster you intend to connect to.

  • You can use AWS Policy Generator tool that enables you to create policies that control access to Amazon Web Services (AWS) products and resources.

For least privilege use the below IAM Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "EKSDescribeClusterPolicy",
      "Action": [
        "eks:DescribeCluster"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

For managing the entire AWS EKS service you can either go with your AdministratorAccess role or EKS specific admin policy :

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "EKSAdminPolicy",
      "Action": "eks:*",
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode
  • Configures kubectl so that you can connect to an Amazon EKS cluster: $ aws eks update-kubeconfig --name cluster_name this creates the kubeconfig in /home/user/.kube/config and the kubeconfig also have the aws eks get token command inside

The above instructions are for an existing cluster and you should be able to use them one by one in order to secure human Identity and access management for AWS EKS with SSO.

Please let me know if you have any questions or feedback

Top comments (0)