AWS EKS Clusters for AWS IAM Users: Seamless Collaboration, Ultimate Control

Introduction

Amazon Elastic Kubernetes Service (EKS) provides a scalable, managed environment for containerized applications. To interact with an EKS cluster, users typically require appropriate permissions.

In this blog post, we will explore the process of granting an IAM user access to an EKS cluster while ensuring fine-grained control over their permissions using cluster roles and role bindings.

Cluster Roles and Role Bindings

In EKS, cluster roles and role bindings are used to manage access control within the cluster. A cluster role is a set of permissions that define what actions a user or group can perform on the cluster resources. Role bindings associate a cluster role with a user or group, granting them the specified permissions.

Pre-Requisites

1. An AWS account
2. Create a Guest User
3. WSL in your computer
4. Install kubectl

Steps to Grant AWS EKS Cluster Access to an AWS IAM User

Step 1:

Create an IAM User: Create an IAM user in the AWS Management Console.

After creating a User, Check whether you can list the Clusters in the AWS EKS section.

You will be getting the error below in the EKS blade.

Ensure the user has the necessary permissions to interact with EKS, such as AmazonEKSClusterReadOnlyAccess for read-only access or AmazonEKSClusterFullAccess for full administrative access. Custom policies can also be created to grant specific permissions.

Create an Inline Policy for EKS full console access and attach it with the IAM user.

Step 2:

After Giving Access, you can see you have access, but your IAM Policy lacks Cluster access.

Step 3:

Now do AWS configure in your WSL distribution or PowerShell. Use Cluster Creator Credentials.

Try to Execute the below command to check and access the cluster.

Then,

If you try the same with the IAM user credentials, you will get errors like the one below

Step 4:

Create a Cluster Role: Define a cluster role that specifies the desired permissions for the IAM user.

Determine the level of access required and create a custom role or use predefined EKS roles like arn:aws:iam::aws:policy/AmazonEKSClusterPolicy. Write the cluster policy similar to the below image in a file and run the below command.

Create a Role Binding: Create a role binding to associate the IAM user with the cluster role. Role bindings are created using the Kubernetes RBAC (Role-Based Access Control) mechanism. Use the kubectl create role binding command or define the role binding in a YAML file and apply it to the cluster using the below command.

Replace the name with the IAM user ARN. And then apply.

You will get the creation output of the Cluster roles and cluster role bindings.

Limit Access with RBAC Rules: Configure additional RBAC rules to restrict the user’s access within the EKS cluster. For example, you can create custom roles that allow read-only access to specific namespaces or limit access to specific resources like pods, deployments, or services.

Step 5:

Describe and Edit AWS configmap using the below command.

Add the mapUsers section to the data in the configmap file and save.

Replace the Userarn value and the IAM user’s username to which you want to give access.

Step 6:

Test User Access: After setting up the cluster role and role binding, test the IAM user’s access to the EKS cluster. Use the IAM user’s credentials and appropriate kubectl commands to interact with the cluster. Ensure the user can perform the desired actions while restricted from unauthorized operations.

Now check the cluster access in the AWS console. You won’t be getting any error messages.

Configure AWS with the IAM user credentials.

Execute the below command

Then,

The IAM user got cluster access if you got the list of nodes after the last command without errors.

Best Practices for Securing AWS EKS Cluster Access

• Principle of Least Privilege: Follow the principle of least privilege by granting only the necessary permissions to the IAM user. Avoid assigning excessive privileges that may pose security risks.
• Regularly Review and Audit Access: Periodically review and audit the IAM user’s access to the EKS cluster. Remove unnecessary permissions or modify the cluster role and role bindings based on evolving requirements.
• Implement MFA (Multi-Factor Authentication): Enable Multi-Factor Authentication (MFA) for IAM users to add an extra layer of security. This ensures that even if the user’s credentials are compromised, unauthorized access is mitigated.
• Monitor and Log Activity: Enable monitoring and logging features in EKS to track user activity within the cluster. Analyze logs and set up alerts to detect suspicious behavior or unauthorized access attempts.

Conclusion

Adhering to best practices and reviewing user access will help maintain a secure and well-managed Kubernetes environment for AWS EKS.

About CloudThat

CloudThat is an official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft Gold Partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best-in-industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

Drop a query if you have any questions regarding AWS EKS, I will get back to you quickly.

To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.