Setting up AWS EKS - Don't know username and password for config

Question

I'm having an extremely hard time setting up EKS on AWS. I've followed this tutorial: https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html#eks-launch-workers

I got up to the ~/.kube/config file and when I try to run kubectl get svc I'm prompted with the below.

▶ kubectl get svc
Please enter Username: Alex
Please enter Password: ********
Error from server (Forbidden): services is forbidden: User 
"system:anonymous" cannot list services in the namespace "default"

I'm unsure where to find the username and password for this entry. Please point me to the exact place where I can find this information.

I think this also has to do with EKS RBAC. I'm not sure how to get around this without having access to the server.

score 13 · Answer 1 · edited Sep 25 '18 at 04:00

13

This issue occurs if your user configuration isn't working in your kubeconfig, or if you are on a version of kubectl less than v1.10

edited Sep 25 '18 at 04:00

oradwell

392
1
12

answered Aug 15 '18 at 02:23

monokrome

1,377
14
21

1

Yup. Version of `kubectl` was wrong for me. Turns out I had a `kubectl` in my `$GOPATH` which was superceding my system `kubectl`. – Jim Dec 21 '18 at 19:20
1

What did you do after upgrading? – Viraj Parekh Feb 06 '19 at 21:54
1

Same for me. I had 1.6 I upgraded to 1.16. Fixed for me. – meerkat Oct 08 '19 at 17:25
After upgrading, you may need to do the setup process again for your local workstation - but it may just begin to work once you're on the right version. @VirajParekh – monokrome Feb 21 '20 at 09:39

JessG · Answer 2 · 2018-07-16T01:33:57.620

I was getting the same error.

I created the EKS cluster via the aws console, however when I followed the steps in the docs to configure my kubeconfig, I got the same error:

$ kubectl get svc
Please enter Username: JessicaG
Please enter Password: ****************
Error from server (Forbidden): services is forbidden: User "system:anonymous" cannot list services in the namespace "default"

This is what ended up being my problem:

In the AWS Getting Started guide in the section "Step 1: Create Your Amazon EKS Cluster: To create your cluster with the console", it says this:

"You must use IAM user credentials for this step, not root credentials. If you create your Amazon EKS cluster using root credentials, you cannot authenticate to the cluster."

It turned out that I had created the EKS cluster with my root credentials, however I was trying to authenticate with my admin user JessicaG.

My solution:

I re-created the cluster with the admin IAM user JessicaG. To do so here are the steps I took:

1) I configured the default user in my local file ~/.aws/credentials with the user's access keys

$ cat ~/.aws/credentials
[default]
aws_access_key_id = <JessicaG access key>
aws_secret_access_key = <JessicaG secret key>

2) Created an eks cluster from the command line:

aws eks create-cluster --name eksdemo --role-arn <eksRole> --resources-vpc-config subnetIds=<subnets>,securityGroupIds=<securityGrps>

3) Configured kubeconfig:

apiVersion: v1
clusters:
- cluster:
    server: REDACTED
    certificate-authority-data: REDACTED
  name: eksdemo
contexts:
- context:
    cluster: eksdemo
    user: aws-jessicag
  name: eksdemo
current-context: eksdemo
kind: Config
preferences: {}
users:
- name: aws-jessicag
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      command: heptio-authenticator-aws
      args:
        - "token"
        - "-i"
        - "eksdemo"

That solved this problem for me.

did you have to do the templates in CloudFormation as well in addition to the kubeconfig .yaml above? — cryanbhu, Aug 29 '18 at 19:28

score 0 · Answer 3 · answered May 09 '19 at 23:30

Make sure you have stable version of kubectl install

curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl

Also if you getting access denied error then make sure you are using the same IAM user access for kubectl which you used for creating EKS cluster.

When an Amazon EKS cluster is created, the IAM entity (user or role) that creates the 
cluster is added to the Kubernetes RBAC authorization table as the administrator 
(with system:master permissions. Initially, only that IAM user can make calls to the 
Kubernetes API server using kubectl.
If you use the console to create the cluster, you must ensure that the same IAM user 
credentials are in the AWS SDK credential chain when you are running kubectl commands 
on your cluster.

score 0 · Answer 4 · answered Mar 15 '22 at 06:39

As pointed out rightly in @monokrome's answer, the issue happens either when your kubectl version is outdated or your user configuration is not updated in kubeconfig file (Default Location: ~/.kube/config).

In my case, the configuration for the cluster was not updated in kubeconfig and the following steps helped me update the same:

Ensure your AWS IAM user to have (at least READ) access to the EKS cluster through proper IAM roles and policies.
Upgrade aws cli to version greater than 1.16.156 and run aws sts get-caller-identity. Ensure that the AWS account number and the user ARN are mentioned correctly in the output.
Run aws eks update-kubeconfig --region region-code --name EKS-cluster-name which automatically updates the kubeconfig.

After successfully executing the above steps you should be able to run kubectl commands without any issues. You can try kubectl get svc to verify the same.

Setting up AWS EKS - Don't know username and password for config

4 Answers4