- Published on
Grant RBAC permission for IAM principle
7 min read
- Authors
- Name
- Shuwen
Step One
method 1: aws cli
- create policy to include the necessary permissions for a principal to view Kubernetes resources for all clusters in your account. replace the following
111122223333with youraws account id
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:ListFargateProfiles",
"eks:DescribeNodegroup",
"eks:ListNodegroups",
"eks:ListUpdates",
"eks:AccessKubernetesApi",
"eks:ListAddons",
"eks:DescribeCluster",
"eks:DescribeAddonVersions",
"eks:ListClusters",
"eks:ListIdentityProviderConfigs",
"iam:ListRoles"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ssm:GetParameter",
"Resource": "arn:aws:ssm:*:111122223333:parameter/*"
}
]
}
- create EKS connector IAM role with its policy. AmazonEKSConnectorAgentRole:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
AmazonEKSConnectorAgentPolicy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SsmControlChannel",
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel"
],
"Resource": "arn:aws:eks:*:*:cluster/*"
},
{
"Sid": "ssmDataplaneOperations",
"Effect": "Allow",
"Action": [
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenDataChannel",
"ssmmessages:OpenControlChannel"
],
"Resource": "*"
}
]
}
- Create the Amazon EKS Connector agent role using the trust policy and policy you created in the previous list items.
aws iam create-role \
--role-name AmazonEKSConnectorAgentRole \
--assume-role-policy-document file://eks-connector-agent-trust-policy.json
- Attach the policy to your Amazon EKS Connector agent role.
aws iam put-role-policy \
--role-name AmazonEKSConnectorAgentRole \
--policy-name AmazonEKSConnectorAgentPolicy \
--policy-document file://eks-connector-agent-policy.json
method 2: terraform
//https://docs.aws.amazon.com/eks/latest/userguide/view-kubernetes-resources.html#view-kubernetes-resources-permissions
//create EKSViewResourcesPolicy
resource "aws_iam_policy" "eks_view_resources_policy" {
name = "EKSViewResourcesPolicy"
description = "Policy to allow a principal to view Kubernetes resources for all clusters in the account"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = [
"eks:ListFargateProfiles",
"eks:DescribeNodegroup",
"eks:ListNodegroups",
"eks:ListUpdates",
"eks:AccessKubernetesApi",
"eks:ListAddons",
"eks:DescribeCluster",
"eks:DescribeAddonVersions",
"eks:ListClusters",
"eks:ListIdentityProviderConfigs",
"iam:ListRoles"
]
Resource = "*"
},
{
Effect = "Allow"
Action = "ssm:GetParameter"
Resource = "arn:aws:ssm:*:${var.aws_account_id}:parameter/*"
}
]
})
}
//https://docs.aws.amazon.com/eks/latest/userguide/connector_IAM_role.html
// create AmazonEKSConnectorAgentRole and AmazonEKSConnectorAgentPolicy
resource "aws_iam_role" "eks_connector_agent_role" {
name = "AmazonEKSConnectorAgentRole"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = {
Service = "ssm.amazonaws.com"
}
Action = "sts:AssumeRole"
}
]
})
}
resource "aws_iam_policy" "eks_connector_agent_policy" {
name = "AmazonEKSConnectorAgentPolicy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "SsmControlChannel"
Effect = "Allow"
Action = [
"ssmmessages:CreateControlChannel"
]
Resource = "arn:aws:eks:*:*:cluster/*"
},
{
Sid = "ssmDataplaneOperations"
Effect = "Allow"
Action = [
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenDataChannel",
"ssmmessages:OpenControlChannel"
]
Resource = "*"
}
]
})
}
resource "aws_iam_role_policy_attachment" "eks_cluster_policy_attachment" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
role = aws_iam_role.eks_connector_agent_role.name
}
resource "aws_iam_role_policy_attachment" "eks_connector_agent_custom_policy_attachment" {
policy_arn = aws_iam_policy.eks_connector_agent_policy.arn
role = aws_iam_role.eks_connector_agent_role.name
}
Step Two
- update kubeconfig
aws eks update-kubeconfig --region us-east-1 --name education-eks-tf-2
- Create a Kubernetes rolebinding or clusterrolebinding that is bound to a Kubernetes role or clusterrole that has the necessary permissions to view the Kubernetes resources. -- View Kubernetes resources in all namespaces
kubectl apply -f https://s3.us-west-2.amazonaws.com/amazon-eks/docs/eks-console-full-access.yaml
-- View Kubernetes resources in a specific namespace
kubectl apply -f https://s3.us-west-2.amazonaws.com/amazon-eks/docs/eks-console-restricted-access.yaml
or using customized by updating the downloaed file
curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/docs/eks-console-full-access.yaml
kubectl apply -f rbac.yaml
rbac.yaml:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: reader
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: reader
subjects:
- kind: Group
name: reader
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: reader
apiGroup: rbac.authorization.k8s.io
Step Three
- Map the IAM principal to the Kubernetes user or group in the aws-auth ConfigMap
kubectl edit -n kube-system configmap/aws-auth
or
kecm -n kube-system aws-auth
add:
mapUsers: |
- groups:
- reader
userarn: arn:aws:iam::467123340085:user/admin
username: admin
mapRoles: |
- groups:
- reader
rolearn: arn:aws:iam::467123340085:role/AmazonEKSConnectorAgentRole
username: AmazonEKSConnectorAgentRole