I've created an EKS cluster with an IAM role and I'm trying to access the cluster from my CI build agent which is present in a different account.
My CI build ec2 instance is not being to able identify the EKS cluster when I attach an Instance profile and a trust relationship with the role used to create the EKS cluster.
But when I go with User authentication, I'm getting the expected output.
I want it to be accessible with the IAM role instead of the IAM User.
Any thoughts or help would be appreciated.
Note: The EKS cluster is created using Terraform with an Assume role authentication.
Related
I have an old eks cluster I don't know how it got build and what are the configurations of it, but there one employee in the company that can access this cluster and he doesn't know how to give my IAM user access to this cluster.
I tried to create cluster role binding and bind my IAM user to cluster-admin cluster role which is a built-in role.
And I tried to map my user also in aws-auth config map, but all of these tries didn't get any changes.
Can you help with your suggestions?
This is a follow up question to my post AWS IAM user that belongs to an IAM group cannot assume IAM role that the IAM group was allowed to assume?, which has an answer.
So now my cijenkins user can issue kubectl commands on the EKS cluster. However, if I log into AWS console and access the EKS cluster there, I see. Why?
I have a EKS cluster created with eksctl cli tool.
Now the user or role which was used to create the EKS cluster got deleted from AWS IAM and I haven't added any other user the permission to access Kubernetes resources inside the cluster.
I have admin access to my AWS account. Is there a way to get the access to kubernetes cluster resources running inside EKS?
I tried the solution provided in the below article and it didn't workout as the IAM user and role was deleted from AWS: https://aws.amazon.com/premiumsupport/knowledge-center/amazon-eks-cluster-access/
Help would be appreciated. Thanks
I believe there is a simple solution:
Simply create the IAM User or IAM Role with the same name as previously used for the cluster. Then generate and export User credentials or assume the IAM Role.
Then simply run
aws eks update-kubeconfig --name ${cluster_name}
and then you should be able to perform actions against API using kubectl.
I've been reading up on configuring cloudwatch log service, however the docs say that you must attatch a permission to the IAM role of your instance. If I already have an instance running that doesn't have an IAM role attached, what options do I have as far as configuring this service?
You can clone your current instance into a new EC2 instance that has an IAM instance profile (role) assigned.
Stop your EC2 instance.
Create an AMI image of your EC2 instance.
Launch a new EC2 instance from your AMI image, this time assigning an IAM role.
If the instance was not launched without an IAM role, then:
Create a policy (not an inline policy) as specified in the document
Add a test IAM user and attach the policy to the test_user
From the IAM dashboard, download or copy the test_user security credentials (key and secret)
On your instance, use aws configure and configure the credentials by using the key and secret
It may look complicated but it is not.
We use CloudFormation to deploy our platform. Is here a way to allow the application instance access to the DynamoDB tables without exposing API credentials?
I read about creating an IAM role that has the right permission and use instance profile. How do I achieve this? can someone please provide more details and explain what instance profile is?
As per AWS IAM documentation, Instance Profile is:
An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts.
So, this is a feature provided by AWS so that IAM credentials don't have to be stored in EC2 instances to execute AWS APIs. Also, this feature aids in granting only the permission specified in the desired IAM role to the EC2 instance. Also, you can use the same Instance profile on multiple instances. This way, you don't have to update credentials on each EC2 instance whenever you change the credentials. So, while launching the EC2 instance, you can specify the instance profile. The instance profile is attached to an IAM role. The EC2 instance will get the IAM role and all the IAM credentials. You just need to set the AWS region before using the APIs.
How to do it:
1) Create an IAM role using: create-role
2) Create Instance Profile using: create-instance-profile. The output of this step will contain the Arn for the Instance Profile. This needs to be used in step 4.
3) Add role to Instance Profile using: add-role-to-instance-profile
4) Launch instance using run-instances. Specify the --iam-instance-profile option as below:
--iam-instance-profile Arn=instanceArn
The instanceArn is got from step 2.
The same can be achieved using AWS Console. The Screenshot below shows, how you can specify the role during launch of an EC2 instance:
For more details please see Using Instance Profiles and section 'Permissions Required for Using Roles with Amazon EC2' at page 190 of AWS IAM User Guide.