Starting from a ~empty AWS account, I am trying to follow https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html
So that meant I created a VPS stack, then installed aws-iam-authenticator, awscli and kubectl, then created an IAM user with Programmatic access and AmazonEKSAdminPolicy directly attached.
Then I used the website to create my EKS cluster and used aws configure
to set the access key and secret of my IAM user.
aws eks update-kubeconfig --name wr-eks-cluster
worked fine, but:
kubectl get svc
error: the server doesn't have a resource type "svc"
I continued anyway, creating my worker nodes stack, and now I'm at a dead-end with:
kubectl apply -f aws-auth-cm.yaml
error: You must be logged in to the server (the server has asked for the client to provide credentials)
aws-iam-authenticator token -i <my cluster name>
seems to work fine.
The thing I seem to be missing is that when you create the cluster you specify an IAM role, but when you create the user (according to the guide) you attach a policy. How is my user supposed to have access to this cluster?
Or ultimately, how do I proceed and gain access to my cluster using kubectl?
system:master
permissions, and it's enough to get kubectl
working. You need to use this user credentials (AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
) to access the cluster. In case you didn't create a specific IAM user to create a cluster, then you probably created it using root AWS account. In this case, you can use root user credentials (Creating Access Keys for the Root User).aws-auth
ConfigMap in your cluster – it contains IAM entities -> kubernetes ServiceAccount mapping.I'm not sure about how do you pass credentials for the aws-iam-authenticator
:
~/.aws/credentials
with aws_profile_of_eks_iam_creator
then you can try $ AWS_PROFILE=aws_profile_of_eks_iam_creator kubectl get all --all-namespaces
$ AWS_ACCESS_KEY_ID=XXX AWS_SECRET_ACCESS_KEY=YYY AWS_DEFAULT_REGION=your-region-1 kubectl get all --all-namespaces
Both of them should work, because kubectl ...
will use generated ~/.kube/config
that contains aws-iam-authenticator token -i cluster_name
command. aws-iam-authenticator
uses environment variables or ~/.aws/credentials
to give you a token.
Also, this answer may be useful for the understanding of the first EKS user creation.