Adding an AWS user to a Kubernetes cluster's RBAC configuration


When you create an Amazon EKS cluster, the IAM entity user or role - such as the federated user that creates the cluster - is automatically granted system:masters permissions in the cluster’s RBAC configuration. To grant additional AWS users or roles the ability to interact with your cluster, you must edit the aws-auth ConfigMap within Kubernetes

For more information, see Roles and permissions created in AWS RBAC.

Create a config file for the new user

To add a new user to the RBAC configuration, follow these instructions:

  1. If you don’t already have one nominated, create a user in AWS IAM with programmatic access. This user does not need any permissions or roles in AWS. All permissions will be K8s-specific.
  2. Make sure your kubeconfig file is pointing to the cluster.
  3. Use one of the following options to create the RBAC YAML configuration:

    • Download the sample aws-auth-cm.yaml file from the reference page above, or…
    • Download your cluster’s existing RBAC ConfigMap and copy it to a file, or…
    • Use the following sample file as a reference:

Sample file

apiVersion: v1
kind: ConfigMap
  name: aws-auth
  namespace: kube-system
  mapRoles: |
  - rolearn: <ARN of instance role (not instance profile)>
    username: system:node:{{EC2PrivateDNSName}}
    - system:bootstrappers
    - system:nodes
  mapUsers: |-
  - userarn: arn:aws:iam::932770550094:user/eks-xlup
    username: eks-xlup
    - system:masters
  # ===== ADD THIS NEW TEXT ==========
  - userarn: <ARN of the AWS user>
    username: <Name of the AWS user>
    - system:masters
  # ===== END OF NEW TEXT ============

Apply the user to the config file

  1. Use the following command to get the user details:
kubectl get configmap/aws-auth --namespace kube-system -o yaml
  1. Add the new entry returned from this command under mapUsers in the config file and save it.
  2. Use the following command to apply this new config to your cluster:
kubectl apply -f <FILENAME.yaml>

You should now be able to deploy to the cluster as the new user.