In part 1, we’ve talked about how to access EKS cluster by using IAM User. There will be cases that you have no control over the AWS Account’s IAM User creation, but you can use AssumeRole instead. Here I’m going to walk you through that.
First, at Account A you need to create a Role (eks-admin-role)with the following Trust Policy and you don’t need to have any Permission Policy attached to it. This allow eks-admin-role trust eks-user in AWS Account B.
Also, we need to modify cm/aws-auth to the following:
This gives authorization for this Role to operate as system:masters. At this point, we are done with AWS Account A.
Let’s turn our attention to AWS Account B. First, we need to make sure IAM User eks-user has sts:AssumeRole capability with the following Policy attached.
This is all we need to do, and let’s add this into kube config file as the follow:
The most important part is to use role-arn parameter to allow eks-user to assume this role.
Voila!
> kubectl get all -n kube-system
NAME READY STATUS RESTARTS AGE
pod/aws-node-ptgpn 1/1 Running 0 98m
pod/coredns-56678dcf76-84fmz 1/1 Running 0 103m
pod/coredns-56678dcf76-nxs5w 1/1 Running 0 103m
pod/kube-proxy-hkb7p 1/1 Running 0 98mNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kube-dns ClusterIP 10.100.0.10 <none> 53/UDP,53/TCP 103mNAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
daemonset.apps/aws-node 1 1 1 1 1 <none> 103m
daemonset.apps/kube-proxy 1 1 1 1 1 <none> 103mNAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/coredns 2/2 2 2 103mNAME DESIRED CURRENT READY AGE
replicaset.apps/coredns-56678dcf76 2 2 2 103m
If you are interested in learning how to access EKS cluster using Role only instead, please read on the part 3.
