Simplified Amazon EKS Cluster Access Management using EKS APIs and AWS Console

Pre-Requisites:

An EKS Cluster (v1.27) provisioned with the latest platform version.
kubectl (v1.29.0), aws-cli (2.15.7) installed
Required IAM permissions to call EKS API using aws-cli

Basic Terminologies:

[Source: AWS EKS Access Management Docs]

Access Entry - "An access entry is a cluster identity—directly linked to an AWS IAM principal user or role—that is used to authenticate to an Amazon EKS cluster."
Access Policies - "An Amazon EKS access policy authorizes an access entry to perform specific cluster actions."

Listing all the Access Policies:

aws eks list-access-policies

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
{
    "accessPolicies": [
        {
            "name": "AmazonEKSAdminPolicy",
            "arn": "arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminPolicy"
        },
        {
            "name": "AmazonEKSClusterAdminPolicy",
            "arn": "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
        },
        {
            "name": "AmazonEKSEditPolicy",
            "arn": "arn:aws:eks::aws:cluster-access-policy/AmazonEKSEditPolicy"
        },
        {
            "name": "AmazonEKSViewPolicy",
            "arn": "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"
        }
    ]
}

Modes of Authentication:

CONFIG_MAP - Uses aws-auth configmap authentication exclusively.
API_AND_CONFIG_MAP - Uses both aws-auth configmap and Amazon EKS Access Entry API's to source authentication with precedence to the latter.
API - Only considers Amazon EKS Access Entry API's to source authentication.

Verifying/Changing the access config of the EKS cluster:

By default the access config for the EKS cluster on the latest platform version would be API_AND_CONFIG_MAP, we can also change the same if not so via calling the EKS API -

aws eks update-cluster-config --name eks-demo-cluster --access-config authenticationMode=API_AND_CONFIG_MAP

Migrating aws-auth configmap user to EKS Access Entry:

I have an admin user in the aws-auth configmap that I shall be replicating accross the EKS Access Entry and attach an EKS Managed policy to the same.

aws-auth configmap -

Image not found

aws-auth configmap

Creating an Access Entry -

aws eks create-access-entry --cluster-name eks-demo-cluster --principal-arn "arn:aws:iam::<ACCOUNTID>:user/k8s-admin"

Associating Access Policy to the Access Entry -

aws eks associate-access-policy --cluster-name eks-demo-cluster --principal-arn "arn:aws:iam::<ACCOUNTID>:user/k8s-admin" --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy --access-scope type=cluster

Once this is done we can change the cluster access config to API only.

aws eks update-cluster-config --name eks-demo-cluster --access-config authenticationMode=API

Verifying access to the cluster:

We can update the kubeconfig with the credentials of the k8s-admin user

AWS_PROFILE=k8s-admin-demo aws eks update-kubeconfig --name eks-demo-cluster --region ap-south-1

We can review the access for this user on the cluster using

kubectl auth can-i

Image not found

Cluster Access Verification

The user has the same access across the cluster after replicating it via Access Entry and Access Policy.

Granting access to cluster based on custom permissions using Kubernetes Groups:

Creating a ClusterRole for developer with list, get, watch access to pods, pods/logs

1
2
3
4
5
6
7
8
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pod-viewer
rules:
- apiGroups: [""]
  resources: ["pods", "pods/log"]
  verbs: ["list", "get", "watch"]

Creating a ClusterRoleBinding and mapping it to a Kubernetes Group

kubectl create clusterrolebinding pod-viewer --clusterrole=pod-viewer --group=developer

Creating an Access Entry to associate this Kubernetes Group to an IAM Principal

aws eks create-access-entry --cluster-name eks-demo-cluster --principal-arn "arn:aws:iam::<ACCOUNTID>:user/k8s-dev" --kubernetes-group developer

Verifying Access

Image not found

Verifying Developer Access to cluster

Accessing Cluster Access Configuration and Creating an Access Entry from AWS Console

Image not found

Modifying Cluster Access Config Mode from Access Section

Image not found

Cluster Access Config Modes

We can view all the access entries on the access tab of Amazon EKS on the AWS Console, additionally we can create access entry as well

Image not found

Access Entries on the AWS Console

Image not found

Creating an Access Entry from the AWS Console

Image not found

Listing the newly added access entry

Deleting an Access Entry using EKS API and from the AWS Console

EKS API

aws eks delete-access-entry --cluster-name eks-demo-cluster --principal-arn "arn:aws:iam::<ACCOUNTID>:user/k8s-dev"

AWS Console

Image not found

Deleting Access Entry

Image not found

Deleting Access Entry from AWS Console

References:

AWS EKS Docs

Conclusion:

Amazon EKS Cluster Access Management provides a clean and flexible way of managing access of AWS IAM Principals directly using the Amazon EKS APIs without the need to use Kubernetes APIs. In future releases of Kubernetes Version of Amazon EKS, the aws-auth configmap authentication source would be removed and authentication would be sourced only from Access entries and Access policies.

Select your cookie preferences

Site Terms, Privacy, and more.

Simplified Amazon EKS Cluster Access Management using EKS APIs and AWS Console

Amazon EKS Team have added a new feature of assigning IAM principals access to the EKS cluster and Kubernetes Objects directly using the Amazon EKS API, we shall additionally explore the same via AWS Console.

Comments