Open in app

Sign in

Write

Sign in

Resolving AWS SSO User Authorization Issue in AWS EKS

Kubra Tahaoglu
4 min readMar 17, 2025

Introduction

If you’ve recently set up an EKS (Elastic Kubernetes Service) cluster with your AWS SSO user’s credentials using Terraform and are trying to access it with your AWS SSO user, you might encounter the following error:

Your current IAM principal does not have access to Kubernetes objects on this cluster.

This error typically occurs when the EKS cluster’s IAM access configuration does not include the appropriate IAM role associated with your AWS SSO user. In this article, I will walk you through how to solve this issue by configuring access via Terraform.

When you create an EKS cluster using Terraform, it often requires additional configuration to allow federated users, such as those authenticated via AWS SSO, to interact with the cluster. Even if your SSO user has AdministratorAccess permissions, it doesn’t necessarily mean it has access to the EKS cluster’s Kubernetes API.

Solution

The solution involves adding an awscc_eks_access_entry resource to your Terraform code to grant your SSO user access to the EKS cluster.

Step 1: Identify Your Federated User’s IAM Role

To find out which IAM role your AWS SSO user is associated with, follow these steps:

  1. Log in to the AWS Management Console.
  2. Click on your username in the top-right corner of the console.
  3. You will see a string that starts with AWSReservedSSO_ under the Federated User. Something like this:
    AWSReservedSSO_AdministratorAccess_abc123456/<username>
  4. The part before the slash (/) is the name of the IAM role: AWSReservedSSO_AdministratorAccess_abc123456. This IAM role is automatically created by AWS SSO and represents the permissions granted to your federated user based on the permission set associated with your SSO group or user. In this case, it's an AdministratorAccess role.
  5. Go to the IAM console and find this role to get its ARN.

Step 2: Check Your EKS Cluster’s IAM Access Entries

  1. Navigate to EKS.
  2. Click on the cluster that you created using Terraform.
  3. Navigate to the Access section and scroll down to IAM Access Entries. You’ll see one or more access entries that were created during EKS deployment. However, you may not find an access entry where the IAM principal ARN matches the AWS SSO role you identified in the previous step. This is the primary issue causing the access problems, which we will address in the following steps. 🙂

Step 3: Modify Your Terraform Code

Add the following blocks to your Terraform code:

resource "awscc_eks_access_entry" "sso" {
  cluster_name  = local.cluster_name
  principal_arn = var.role_arn
  type          = "STANDARD"
  access_policies = [
    {
      access_scope = {
        type = "cluster"
      },
      policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
    }
  ]

  tags = [{
    key   = "Modified By"
    value = "Terraform"
  }]
}

In this block:

  • principal_arn should be the ARN of the IAM Role associated with your AWS SSO user. You can add the below block to your variables.tf file:
variable "role_arn" {
  default = "arn:aws:iam::<your-account-id>:role/aws-reserved/sso.amazonaws.com/<your-region>/AWSReservedSSO_<full-role-name>"
}

<your-account-id> , <your-region> and <full-role-name> should be replaced with the corresponding values from your account.

  • policy_arn is set to AmazonEKSClusterAdminPolicy to grant full administrative access to the EKS cluster.

Step 4: Update Your Provider Configuration

Ensure your versions.tf file includes the awscc provider definition:

terraform {
  required_providers {
    awscc = {
      source  = "hashicorp/awscc"
      version = "1.32.0"
    }
  }
}

Step 5: Apply the Changes

Run the following commands to apply the configuration:

terraform init -upgrade
terraform apply -auto-approve

This will create an access entry for your federated user, allowing you to interact with the EKS cluster via kubectl.

Step 6: Verify the New IAM Access Entry

  1. Navigate to EKS.
  2. Click on the cluster that you created using Terraform.
  3. Navigate to the Access section and scroll down to IAM Access Entries. Now, you should see the newly created entry for the AWS SSO role as shown below:

Step 7: Update Your kubeconfig (Optional)

To confirm you have access, you may need to update your kubeconfig with:

aws eks update-kubeconfig -name <your-cluster-name> -region <your-region>

Key Takeaways

The issue arises when AWS SSO users with AdministratorAccess cannot access EKS clusters due to missing IAM access entries. The cause is the EKS cluster’s IAM configuration not including the appropriate IAM role associated with the AWS SSO user. The solution is to add an awscc_eks_access_entry resource in Terraform, specifying the correct role ARN and applying the required IAM policy.

Now that you’re all set up, enjoy experimenting with your EKS cluster and explore the many possibilities it offers!

AWS
Aws Eks
Aws Sso
Aws Eks Using Terraform
Troubleshooting

--

--

Kubra Tahaoglu
Kubra Tahaoglu

Written by Kubra Tahaoglu

46 followers
46 following

Sr. DevOps Engineer

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech