Enabling AWS IAM Token-Based Auth for EKS

The following guide documents integrating AWS Elastic Kubernetes Service (EKS) clusters with IAM roles for authentication. The documentation assumes that an EKS cluster exists with IAM roles enabled and that the aws CLI, eksctl, and aws-iam-authenticator tools are available.

Creating IAM Policies and Roles

Follow the below instructions to create the right IAM policy and role for the Veeam Kasten setup.

  • Follow the instructions here to:

    • Create an IAM Policy and obtain the IAM Policy ARN from the AWS IAM Console.

    • Create an IAM Role for Veeam Kasten use.

  • Obtain the ARN for the newly-created IAM Role from the AWS IAM Console or by running the following command.

    $ aws iam get-role --role-name <role-name> | grep Arn

    Export the value as AWS_IAM_ROLE_ARN:

    $ export AWS_IAM_ROLE_ARN=arn:aws:iam::<AWS ACCOUNT>:role/<ROLE NAME>

Installing and Configuring Veeam Kasten

Note

With the below configuration, the Veeam Kasten dashboard or API/CLI access will fail until the RBAC setup documented below is completed.

Veeam Kasten should now be installed using the instructions here for using IAM roles but the following option must be added to the install command to enable token-based authentication. If this was missed during the initial install, it can also be added as an upgrade option provided to Helm.

--set auth.tokenAuth.enabled=true

Configuring RBAC

As defined in our RBAC documentation, Veeam Kasten comes with pre-defined ClusterRoles that will be used in the below examples, but additional roles can be defined by the administrator.

See Managing Users or IAM Roles for your Cluster for the authoritative set of instructions on providing access to an IAM user or role to an EKS cluster.

This section assumes that the administrator has:

  1. Created an IAM Role for users to assume (no policies should be attached to this role)

  2. Added user ARNs for all users that will assume this role under AWS (a trust relationship)

The IAM Role ARN from step 1 above needs to be extracted via the AWS console or by using the following command:

$ aws iam get-role --role-name <role-name> | grep Arn

Assuming the aws-auth ConfigMap already exists on your cluster, you need to edit it to include the appropriate IAM users that need access to Veeam Kasten.

$ kubectl edit configmap aws-auth --namespace kube-system -oyaml

The below example will use the default k10-basic ClusterRole defined by Veeam Kasten but this process can be easily extended to arbitrary ClusterRoles. The ClusterRole can, in turn, be bound to groups and, while not recommended, individual users. A new group (k10:basic) will be used, and, to give this group the ability to access Veeam Kasten, the aws-auth ConfigMap needs to be edited to include the following configuration under the mapRoles section:

- groups:
  - k10:basic
  rolearn: <role-arn>
  username: <role-name>

Once done, the aws-auth ConfigMap should look similar to this:

apiVersion: v1
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::036776340102:role/<node-instance-role>
      username: system:node:{{EC2PrivateDNSName}}
    - groups:
      - k10:basic
      rolearn: <role-arn>
      username: <role-name>
kind: ConfigMap
metadata:
  creationTimestamp: "2020-01-14T00:01:03Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "2599951"
  selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
  uid: f4472c09-3660-11ea-bf0c-06020ce34614

A ClusterRoleBinding for the k10:basic group needs to be created next by using the following command:

$ kubectl create clusterrolebinding <crb-name> --clusterrole=k10-basic --group=k10:basic

This will generate a ClusterRoleBinding that looks similar to the following:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: "2020-01-31T07:39:26Z"
  name: k10-basic-crb
  resourceVersion: "2639648"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/k10-basic-crb
  uid: ce583ca0-43fc-11ea-9337-0a19c86c753e
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: k10-basic
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: k10:basic

Note

For ease-of-use, a ClusterRoleBinding for a default k10:admins Group is auto-created during Veeam Kasten install.

Logging into the Veeam Kasten Dashboard using AWS IAM Tokens

To get a user token to authenticate against the Veeam Kasten dashboard or API for the above user, run:

$ aws-iam-authenticator token -i ${EKS_CLUSTER_NAME} --token-only --role <role-arn>

You can then access the dashboard by logging in with the above token. The user and permissions can be verified in the top-right section of the screen.

Debugging Login Issues

If there are login issues with the token obtained above, validating that the role assumption is correctly configured can be accomplished by creating the following profile in ${HOME}/.aws/config:

[profile <profile-name>]
role_arn = <role-arn>
source_profile = default

and then executing:

$ aws sts get-caller-identity --profile <profile-name>