How do you get kubectl to log in to an AWS EKS cluster?

amazon-web-services kubernetes kubectl amazon-eks
sbs picture sbs · Nov 12, 2018 · Viewed 11k times · Source

Starting from a ~empty AWS account, I am trying to follow https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html

So that meant I created a VPS stack, then installed aws-iam-authenticator, awscli and kubectl, then created an IAM user with Programmatic access and AmazonEKSAdminPolicy directly attached.

Then I used the website to create my EKS cluster and used aws configure to set the access key and secret of my IAM user.

aws eks update-kubeconfig --name wr-eks-cluster worked fine, but:

kubectl get svc
error: the server doesn't have a resource type "svc"

I continued anyway, creating my worker nodes stack, and now I'm at a dead-end with:

kubectl apply -f aws-auth-cm.yaml
error: You must be logged in to the server (the server has asked for the client to provide credentials)

aws-iam-authenticator token -i <my cluster name> seems to work fine.

The thing I seem to be missing is that when you create the cluster you specify an IAM role, but when you create the user (according to the guide) you attach a policy. How is my user supposed to have access to this cluster?

Or ultimately, how do I proceed and gain access to my cluster using kubectl?

Answer

Ivan Kalita picture Ivan Kalita · Nov 12, 2018
  1. As mentioned in docs, the AWS IAM user created EKS cluster automatically receives system:master permissions, and it's enough to get kubectl working. You need to use this user credentials (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) to access the cluster. In case you didn't create a specific IAM user to create a cluster, then you probably created it using root AWS account. In this case, you can use root user credentials (Creating Access Keys for the Root User).
  2. The main magic is inside aws-auth ConfigMap in your cluster – it contains IAM entities -> kubernetes ServiceAccount mapping.

I'm not sure about how do you pass credentials for the aws-iam-authenticator:

  • If you have ~/.aws/credentials with aws_profile_of_eks_iam_creator then you can try $ AWS_PROFILE=aws_profile_of_eks_iam_creator kubectl get all --all-namespaces
  • Also, you can use environment variables $ AWS_ACCESS_KEY_ID=XXX AWS_SECRET_ACCESS_KEY=YYY AWS_DEFAULT_REGION=your-region-1 kubectl get all --all-namespaces

Both of them should work, because kubectl ... will use generated ~/.kube/config that contains aws-iam-authenticator token -i cluster_name command. aws-iam-authenticator uses environment variables or ~/.aws/credentials to give you a token.

Also, this answer may be useful for the understanding of the first EKS user creation.

Related questions

AWS EKS "is not authorized to perform: iam:CreateServiceLinkedRole"

I have followed the documentation for spinning up an EKS cluster that says to make a service role with certain policies. https://docs.aws.amazon.com/eks/latest/userguide/eks-ug.pdf To create your Amazon EKS service role 1. Open the …

Read More
kubectl error You must be logged in to the server (Unauthorized) when accessing EKS cluster

I have been trying to follow the getting started guide to EKS. When I tried to call kubectl get service I got the message: error: You must be logged in to the server (Unauthorized) Here is what I did: 1. Created …

Read More
Kubernetes: how to set VolumeMount user group and file permissions

I'm running a Kubernetes cluster on AWS using kops. I've mounted an EBS volume onto a container and it is visible from my application but it's read only because my application does not run as root. How can I mount …

Read More