Following this tutorial: https://archive.eksworkshop.com/beginner/091_iam-groups/test-cluster-access/ - Which I believe is missing the point it is trying to make, by assuming the role directly at the Test EKS page
I've created a role called k8sAdmin with the following policy/trust relations
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
I've create a user group called k8sAdministrators with the following permission policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeOrganizationAccountRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT:role/k8sAdmin"
}
]
}
I've modified the kube-system aws-auth ConfigMap to assign permission to the k8sAdmin role.
apiVersion: v1
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::ACCOUNT:role/eksctl-production-nodegrou-NodeInstanceRole
username: system:node:{{EC2PrivateDNSName}}
- groups:
- system:masters
rolearn: arn:aws:iam::ACCOUNT:role/k8sAdmin
username: admin
mapUsers: |
[]
When I assume the role directly, I can access the cluster.
But the goal is, to allow any user in the k8sAdministrators group to have access to the cluster, since the group has permission to assume role.
Does not work with the current config, group members are not authorized to access the cluster.
