How do you get kubectl to log in to an AWS EKS cluster?

sbs picture sbs · Nov 12, 2018 · Viewed 11k times · Source

Starting from a ~empty AWS account, I am trying to follow https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html

So that meant I created a VPS stack, then installed aws-iam-authenticator, awscli and kubectl, then created an IAM user with Programmatic access and AmazonEKSAdminPolicy directly attached.

Then I used the website to create my EKS cluster and used aws configure to set the access key and secret of my IAM user.

aws eks update-kubeconfig --name wr-eks-cluster worked fine, but:

kubectl get svc
error: the server doesn't have a resource type "svc"

I continued anyway, creating my worker nodes stack, and now I'm at a dead-end with:

kubectl apply -f aws-auth-cm.yaml
error: You must be logged in to the server (the server has asked for the client to provide credentials)

aws-iam-authenticator token -i <my cluster name> seems to work fine.

The thing I seem to be missing is that when you create the cluster you specify an IAM role, but when you create the user (according to the guide) you attach a policy. How is my user supposed to have access to this cluster?

Or ultimately, how do I proceed and gain access to my cluster using kubectl?

Answer

Ivan Kalita picture Ivan Kalita · Nov 12, 2018
  1. As mentioned in docs, the AWS IAM user created EKS cluster automatically receives system:master permissions, and it's enough to get kubectl working. You need to use this user credentials (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) to access the cluster. In case you didn't create a specific IAM user to create a cluster, then you probably created it using root AWS account. In this case, you can use root user credentials (Creating Access Keys for the Root User).
  2. The main magic is inside aws-auth ConfigMap in your cluster – it contains IAM entities -> kubernetes ServiceAccount mapping.

I'm not sure about how do you pass credentials for the aws-iam-authenticator:

  • If you have ~/.aws/credentials with aws_profile_of_eks_iam_creator then you can try $ AWS_PROFILE=aws_profile_of_eks_iam_creator kubectl get all --all-namespaces
  • Also, you can use environment variables $ AWS_ACCESS_KEY_ID=XXX AWS_SECRET_ACCESS_KEY=YYY AWS_DEFAULT_REGION=your-region-1 kubectl get all --all-namespaces

Both of them should work, because kubectl ... will use generated ~/.kube/config that contains aws-iam-authenticator token -i cluster_name command. aws-iam-authenticator uses environment variables or ~/.aws/credentials to give you a token.

Also, this answer may be useful for the understanding of the first EKS user creation.