The aws-auth configmap in AWS EKS performs a mapping between IAM users/roles to kubernetes RBAC roles. However, the documentation does not specify anything on adding IAM groups to the configmap.
We use multiple namespaces, each namespace managed by a different team. I created a set of kubernetes RBAC roles, limited to the different namespaces. Now I want to give everbody in the teams IAM group that specific role.
Is it possible to add IAM groups in the aws-auth configmap? If not, what would the proposed solution be? Create a IAM role per team and allow only members of the IAM group the permission to assume that role?
You can take a look here.
TLDR
1. Create a role that allows full API access
2. Create a RoleBinding for that role to your target namespace with a named apiGroup as the subjects.
3. Add an entry for your IAM user in the aws-auth ConfigMap to add the mapUser to the named aforementioned apiGroup.
Hope this helps!
Related
I have an old eks cluster I don't know how it got build and what are the configurations of it, but there one employee in the company that can access this cluster and he doesn't know how to give my IAM user access to this cluster.
I tried to create cluster role binding and bind my IAM user to cluster-admin cluster role which is a built-in role.
And I tried to map my user also in aws-auth config map, but all of these tries didn't get any changes.
Can you help with your suggestions?
I have an EKS cluster where my aws-auth configmap has the aws roles to access the cluster. However, the aws roles mapped to it are all deleted. Now I cannot connect to the cluster.
I tried creating the same roles with the same name but because it was AWS SSO created role, I cannot re-use the name. AWS doesn't allow it.
Can someone please help me out of this please?
You can find previous SSO role name from cloudtrail event logs. Once you find the exact name create the iam role with same name.
I'm trying to authenticate users managed in AWS IAM Identity Center to AWS EKS (being in different AWS account then IAM Identity Center). Correct me if I'm wrong but IAM Idenity Center maps permissions (set as permission sets in account A) to roles in account B. So basically users assume role in the target account. I though that because of that I could just add role into aws-auth config map but that doesn't work, ie. as a user with assumed role I cannot see resources in AWS EKS console. The part I've added:
- groups:
- system:masters
rolearn: arn:aws:iam::xxxxxx:role/aws-reserved/sso.amazonaws.com/xxxxxx/AWSReservedSSO_AdministratorAccess_yyyyy // this is role which seems to be assumed by user configured in Identity Center
username: AWSReservedSSO_AdministratorAccess_yyyyy
What am I missing?
Just if anyone is looking for the solution I'm anwering my question:
rolearn should have a format of: arn:aws:iam::xxxx:role/AWSReservedSSO_AdministratorAccess_yyyyy
How do I set up explicit deny permissions for a specific resource in GCP? For example, I have 2 GKE clusters in my project, say "dev-gke" and "qa-gke". How do I ensure that folks in the team are denied permission to update/delete the "qa-gke" cluster while they can continue to do so on the "ts-dev" cluster.
I contemplated setting up a deny policy as explained here using denialCondition and resource.matchTag referencing a tag for "ts-qa" cluster.
"denialCondition": {
"title": "QA Setup",
"expression": "resource.matchTag('12345678/env', 'ts-qa')"
But as explained here tags are defined at an organization level and not at a resource level. And, I couldn't find out an equivalent of resource.matchTag for labels.
With not having any suitable way to address this from IAM permissions itself, I ended up creating ClusterRole and ClusterRoleBinding for the clusters individually with respective users who should be allowed to have access.
Reference: https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control
see this doc https://cloud.google.com/iam/docs/deny-access.
And probably you may use IAM tag to attach tag to your clusters, also see this https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing#gcloud_8.
I found that documentation that we can add AWS IAM role to kubernetes serviceaccount and attach to Pods. And what I'm supposed to do is I want to attach that service account to DaemonSet instead of Pods level permission. But I configured same as that documentation and attached to DaemonSet but I've encountered following error message after that:
Aws::STS::Errors::AccessDenied error="Not authorized to perform sts:AssumeRoleWithWebIdentity
Is that meant those type of serviceaccount with IAM role cannot be attached to DaemonSet?
Is that meant those type of serviceaccount with IAM role cannot be attached to DaemonSet?
No,there shouldn't be any issues with that. I checked here and there is an example with service account in a deployment.
As #PPShein mentioned in comments the issue occurs because he forgot to add the openid_url.
Please refer to this and this documentation.