Enabling AWS IAM Token-Based Auth for EKS
The following guide documents integrating AWS Elastic Kubernetes
Service (EKS) clusters with IAM roles for authentication. The
documentation assumes that an EKS cluster exists with IAM roles
enabled
and that the aws
CLI, eksctl
, and aws-iam-authenticator
tools are available.
Creating IAM Policies and Roles
Follow the below instructions to create the right IAM policy and role for K10 setup.
Follow the instructions here to:
Create an IAM Policy and obtain the IAM Policy ARN from the AWS IAM Console.
Create an IAM Role for K10 use.
Obtain the ARN for the newly-created IAM Role from the AWS IAM Console or by running the following command.
$ aws iam get-role --role-name <role-name> | grep Arn
Export the value as
AWS_IAM_ROLE_ARN
:$ export AWS_IAM_ROLE_ARN=arn:aws:iam::<AWS ACCOUNT>:role/<ROLE NAME>
Installing and Configuring K10
Note
With the below configuration, K10 dashboard or API/CLI access will fail until the RBAC setup documented below is completed.
K10 should now be installed using the instructions here for using IAM roles but the following option must be added to the install command to enable token-based authentication. If this was missed during initial install, it can also be added as an upgrade option provided to Helm.
--set auth.tokenAuth.enabled=true
Configuring RBAC
As defined in our RBAC documentation, K10 comes with pre-defined ClusterRoles that will be used in the below examples but additional roles can be defined by the administrator.
See Managing Users or IAM Roles for your Cluster for the authoritative set of instructions on providing access to an IAM user or role to an EKS cluster.
This section assumes that the administrator has:
Created an IAM Role for users to assume (no policies should be attached to this role)
Added user ARNs for all users that will assume this role under AWS (a trust relationship)
The IAM Role ARN from step 1 above needs to be extracted via the AWS console or by using the following command:
$ aws iam get-role --role-name <role-name> | grep Arn
Assuming the aws-auth
ConfigMap already exists on your cluster,
you need to edit it to include the appropriate IAM users that need
access to K10.
$ kubectl edit configmap aws-auth --namespace kube-system -oyaml
The below example will use the default
k10-basic ClusterRole defined by K10 but this
process can be easily extended to arbitrary ClusterRoles. The
ClusterRole can, in turn, be bound to groups and, while not
recommended, individual users. A new group (k10:basic
) will be
used and, to give this group the ability to access K10, the
aws-auth
ConfigMap needs to be edited to include the following
configuration under the mapRoles
section:
- groups:
- k10:basic
rolearn: <role-arn>
username: <role-name>
Once done, the aws-auth
ConfigMap should look similar to this:
apiVersion: v1
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::036776340102:role/<node-instance-role>
username: system:node:{{EC2PrivateDNSName}}
- groups:
- k10:basic
rolearn: <role-arn>
username: <role-name>
kind: ConfigMap
metadata:
creationTimestamp: "2020-01-14T00:01:03Z"
name: aws-auth
namespace: kube-system
resourceVersion: "2599951"
selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
uid: f4472c09-3660-11ea-bf0c-06020ce34614
A ClusterRoleBinding for the k10:basic
group needs to be created
next by using the following command:
$ kubectl create clusterrolebinding <crb-name> --clusterrole=k10-basic --group=k10:basic
This will generate a ClusterRoleBinding that looks similar to the following:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: "2020-01-31T07:39:26Z"
name: k10-basic-crb
resourceVersion: "2639648"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/k10-basic-crb
uid: ce583ca0-43fc-11ea-9337-0a19c86c753e
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: k10-basic
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: k10:basic
Note
For ease-of-use, a
ClusterRoleBinding for a default
k10:admins
Group is auto-created during K10 install.
Logging into the K10 Dashboard using AWS IAM Tokens
To get a user token to authenticate against the K10 dashboard or API for the above user, run:
$ aws-iam-authenticator token -i ${EKS_CLUSTER_NAME} --token-only --role <role-arn>
You can then access the dashboard by logging in with the above token. The user and permissions can be verified from the top-right section of the screen.
Debugging Login Issues
If there are login issues with the token obtained above, validating
that the role assumption is correctly configured can be accomplished
by creating the following profile in ${HOME}/.aws/config
:
[profile <profile-name>]
role_arn = <role-arn>
source_profile = default
and then executing:
$ aws sts get-caller-identity --profile <profile-name>