AWS, Cloud Computing, DevOps, Kubernetes

5 Mins Read

AWS EKS Clusters for AWS IAM Users: Seamless Collaboration, Ultimate Control

Voiced by Amazon Polly

Introduction

Amazon Elastic Kubernetes Service (EKS) provides a scalable, managed environment for containerized applications. To interact with an EKS cluster, users typically require appropriate permissions.

In this blog post, we will explore the process of granting an IAM user access to an EKS cluster while ensuring fine-grained control over their permissions using cluster roles and role bindings.

Pioneers in Cloud Consulting & Migration Services

  • Reduced infrastructural costs
  • Accelerated application deployment
Get Started

Cluster Roles and Role Bindings

In EKS, cluster roles and role bindings are used to manage access control within the cluster. A cluster role is a set of permissions that define what actions a user or group can perform on the cluster resources. Role bindings associate a cluster role with a user or group, granting them the specified permissions.

Pre-Requisites

  1. An AWS account
  2. Create a Guest User
  3. WSL in your computer
  4. Install kubectl

Steps to Grant AWS EKS Cluster Access to an AWS IAM User

Step 1:

Create an IAM User: Create an IAM user in the AWS Management Console.

After creating a User, Check whether you can list the Clusters in the AWS EKS section.

You will be getting the error below in the EKS blade.

step1

Ensure the user has the necessary permissions to interact with EKS, such as AmazonEKSClusterReadOnlyAccess for read-only access or AmazonEKSClusterFullAccess for full administrative access. Custom policies can also be created to grant specific permissions.

Create an Inline Policy for EKS full console access and attach it with the IAM user.

step1b

Step 2:

After Giving Access, you can see you have access, but your IAM Policy lacks Cluster access.

step2

Step 3:

Now do AWS configure in your WSL distribution or PowerShell. Use Cluster Creator Credentials.

Try to Execute the below command to check and access the cluster.

Then,

step3

If you try the same with the IAM user credentials, you will get errors like the one below

step3b

Step 4:

Create a Cluster Role: Define a cluster role that specifies the desired permissions for the IAM user.

Determine the level of access required and create a custom role or use predefined EKS roles like arn:aws:iam::aws:policy/AmazonEKSClusterPolicy. Write the cluster policy similar to the below image in a file and run the below command.

step4

Create a Role Binding: Create a role binding to associate the IAM user with the cluster role. Role bindings are created using the Kubernetes RBAC (Role-Based Access Control) mechanism. Use the kubectl create role binding command or define the role binding in a YAML file and apply it to the cluster using the below command.

Replace the name with the IAM user ARN. And then apply.

step4b

You will get the creation output of the Cluster roles and cluster role bindings.

step4c

Limit Access with RBAC Rules: Configure additional RBAC rules to restrict the user’s access within the EKS cluster. For example, you can create custom roles that allow read-only access to specific namespaces or limit access to specific resources like pods, deployments, or services.

Step 5:

Describe and Edit AWS configmap using the below command.

step5

Add the mapUsers section to the data in the configmap file and save.

Replace the Userarn value and the IAM user’s username to which you want to give access.

step5b

Step 6:

Test User Access: After setting up the cluster role and role binding, test the IAM user’s access to the EKS cluster. Use the IAM user’s credentials and appropriate kubectl commands to interact with the cluster. Ensure the user can perform the desired actions while restricted from unauthorized operations.

Now check the cluster access in the AWS console. You won’t be getting any error messages.

step6

Configure AWS with the IAM user credentials.

Execute the below command

Then,

step6b

The IAM user got cluster access if you got the list of nodes after the last command without errors.

Best Practices for Securing AWS EKS Cluster Access

  • Principle of Least Privilege: Follow the principle of least privilege by granting only the necessary permissions to the IAM user. Avoid assigning excessive privileges that may pose security risks.
  • Regularly Review and Audit Access: Periodically review and audit the IAM user’s access to the EKS cluster. Remove unnecessary permissions or modify the cluster role and role bindings based on evolving requirements.
  • Implement MFA (Multi-Factor Authentication): Enable Multi-Factor Authentication (MFA) for IAM users to add an extra layer of security. This ensures that even if the user’s credentials are compromised, unauthorized access is mitigated.
  • Monitor and Log Activity: Enable monitoring and logging features in EKS to track user activity within the cluster. Analyze logs and set up alerts to detect suspicious behavior or unauthorized access attempts.

Conclusion

Granting an AWS IAM user access to an AWS EKS cluster is crucial in enabling collaboration and allowing developers or administrators to interact with the Kubernetes environment. By leveraging cluster roles and role bindings, you can ensure fine-grained access control, limiting the user’s permissions and enhancing the security of your AWS EKS cluster.

Adhering to best practices and reviewing user access will help maintain a secure and well-managed Kubernetes environment for AWS EKS.

Making IT Networks Enterprise-ready – Cloud Management Services

  • Accelerated cloud migration
  • End-to-end view of the cloud environment
Get Started

About CloudThat

CloudThat is an official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft Gold Partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best-in-industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

Drop a query if you have any questions regarding AWS EKS, I will get back to you quickly.

To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.

FAQs

1. How do RBAC roles help in terms of security?

ANS: – Role-based security, sometimes called role-based access control (RBAC), is a method that limits system access. Setting rights and permissions is necessary to grant authorized users access.

2. What is TLS, and what is its use?

ANS: – Through the use of cryptography, such as the usage of certificates, the TLS protocol primarily attempts to offer security, including privacy (confidentiality), integrity, and authenticity between two or more communicating computer programs.

3. Why is it required to Rotate infrastructure credentials?

ANS: – Rotating passwords limits access to former employees and stops hostile actors from accessing and using these credentials. This stops unintentional tampering and intentional sharing with adversaries or other bad actors.

WRITTEN BY Karthik Kumar P V

Karthik Kumar Patro Voona is a Research Associate (Kubernetes) at CloudThat Technologies. He Holds Bachelor's degree in Information and Technology and has good programming knowledge of Python. He has experience in both AWS and Azure. He has a passion for Cloud-computing and DevOps. He has good working experience in Kubernetes and DevOps Tools like Terraform, Ansible, and Jenkins. He is a very good Team player, Adaptive and interested in exploring new technologies.

Share

Comments

    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!