0

I'm trying to configure AWS sso access my EKS clusters that are in a child account that I'm an admin to. I'm referencing this document and this stack posting. But keep getting RBAC errors when I log in with SSO to the child account. How do I properly configure this? I still have IAM access enabled at the moment.

Error in console:

Your current user or role does not have access to Kubernetes objects on this EKS cluster
This may be due to the current user or role not having Kubernetes RBAC permissions to describe cluster resources or not having an entry in the cluster’s auth config map.

Roles:

 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: default:sso-admin
   namespace: default
 rules:
 - apiGroups: ["*"]
   resources: ["*"]
   verbs: ["*"]

ConfigMap:

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapUsers: |
    -  rolearn: arn:aws:iam::xxxxx:role/AWSReservedSSOxxxxx
       username: me:{{SessionName}}
       groups:
          - default:sso-admin
Wytrzymały Wiktor
  • 11,492
  • 5
  • 29
  • 37
risail
  • 509
  • 5
  • 14
  • 37
  • not an expert, guessing you are doing some operations which is "cluster wide" , however the user or SA have permissions limited to some namespace...you can check on that line – P.... Jul 27 '21 at 03:51
  • The arn and "me" are admins so I was expecting to see the nodes in console and not get the rbac error. – risail Jul 27 '21 at 03:54
  • Hello @risail. Have you tried to follow the [official doc](https://aws.amazon.com/premiumsupport/knowledge-center/eks-kubernetes-object-access-error/) which explains how to fix this issue? – Wytrzymały Wiktor Jul 27 '21 at 09:21
  • 1
    @WytrzymałyWiktor I had not seen that TY. I was not using a cluster role, if you move that to an answer I'll mark it. – risail Jul 27 '21 at 13:06
  • Hello @risail. Glad it helped. I have post an answer for better visibility as you suggested. Cheers! – Wytrzymały Wiktor Jul 27 '21 at 13:26

1 Answers1

1

A solution for this issue is well described in the official docs:

How do I resolve the "Your current user or role does not have access to Kubernetes objects on this EKS cluster" error in Amazon EKS?

Short description

You receive this error when you use the AWS Management Console with an AWS Identity and Access Management (IAM) role or user that's not in your Amazon EKS cluster's aws-auth ConfigMap.

When you create an Amazon EKS cluster, the IAM user or role (such as a federated user that creates the cluster) is automatically granted system:masters permissions in the cluster's RBAC configuration. If you access the Amazon EKS console and your IAM user or role isn't part of the aws-auth ConfigMap, then you can't see your Kubernetes workloads or overview details for the cluster.

To grant additional AWS users or roles the ability to interact with your cluster, you must edit the aws-auth ConfigMap within Kubernetes.

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

You can follow the steps described there in order to solve your problem.

Wytrzymały Wiktor
  • 11,492
  • 5
  • 29
  • 37