Start with the basics:
AWS Identity and Access Management (IAM) provides fine-grained access control across all of AWS. With IAM, you can specify who can access which services and resources, and under which conditions.
AWS Single Sign-On (AWS SSO) is a cloud service that allows you to grant your users access to AWS resources, such as Amazon EC2 instances, across multiple AWS accounts
Amazon Elastic Kubernetes Service (Amazon EKS) is a managed service that you can use to run Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes.
Role-based access control (RBAC) is a method of restricting network access based on the roles of individual users within an enterprise.
Authentication to your Kubernetes cluster
Amazon EKS uses IAM to provide authentication to your Kubernetes cluster (through the aws eks get-token command, available in version 1.16.156 or later of the AWS CLI, or the AWS IAM Authenticator for Kubernetes), but it still relies on native Kubernetes Role Based Access Control (RBAC) for authorization.
The below should help you configure AWS EKS with SSO:
- Ensure the cluster admin or whoever has access to run kubectl commands adds the SSO role to the aws-auth ConfigMap (this is used to manage access on the cluster):
kubectl create configmap my-config-aws-auth --from-file=path/to/file/aws-auth.properties
The file "aws-auth.properties" can look like this
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- rolearn: arn:aws:iam::11122223333:role/EKS-DevOpsAdmin
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
mapUsers: |
- userarn: arn:aws:iam::11122223333:user/designated_user
username: designated_user
groups:
- system:masters
-
Ensure you are logged into the SSO role from your CLI/Shell/CMD. Run ($ 'aws sts get-caller-identity' ) to verify
- If you are not sure how-to login into the SSO role, see this Configuring the AWS CLI to use AWS Single Sign-On
. Basically you will need to run
aws sso login.
- If you are not sure how-to login into the SSO role, see this Configuring the AWS CLI to use AWS Single Sign-On
. Basically you will need to run
Ensure that the SSO role has access to run eks:DescribeCluster on the cluster you intend to connect to.
You can use AWS Policy Generator tool that enables you to create policies that control access to Amazon Web Services (AWS) products and resources.
For least privilege use the below IAM Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EKSDescribeClusterPolicy",
"Action": [
"eks:DescribeCluster"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
For managing the entire AWS EKS service you can either go with your AdministratorAccess role or EKS specific admin policy :
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EKSAdminPolicy",
"Action": "eks:*",
"Effect": "Allow",
"Resource": "*"
}
]
}
- Configures kubectl so that you can connect to an Amazon EKS cluster:
$
aws eks update-kubeconfig --name cluster_namethis creates the kubeconfig in/home/user/.kube/configand the kubeconfig also have the aws eks get token command inside
The above instructions are for an existing cluster and you should be able to use them one by one in order to secure human Identity and access management for AWS EKS with SSO.
Please let me know if you have any questions or feedback
Top comments (0)