1

I've created a new eks cluster using terraform , couple of developers when they try to access the cluster in aws console get the following error.

Can someone pls point me what i'm missing.

cluster version: 1.18

User: arn:aws:iam::xxxx:user/yyy is not authorized to perform: eks:AccessKubernetesApi on resource: arn:aws:eks:us-east-1:xxxx:cluster/cluster

Each user has this policy attached

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "eks:ListFargateProfiles",
                "eks:DescribeNodegroup",
                "eks:ListNodegroups",
                "eks:DescribeFargateProfile",
                "eks:ListTagsForResource",
                "eks:ListUpdates",
                "eks:DescribeUpdate",
                "eks:DescribeCluster",
                "eks:ListClusters"
            ],
            "Resource": "*"
        }
    ]
}

my aws-auth config looks

apiVersion: v1
data:
  mapRoles: |
    - rolearn: arn:aws:iam::xxxx:role/cluster182020111918162137770000002f
      username: system:node:{{EC2PrivateDNSName}}
      groups:
        - system:bootstrappers
        - system:nodes


    - groups:
      - system:masters
      rolearn: arn:aws:iam::xxxx:role/abc-role
      username: abc-xac
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::xxx:role/cluster_eks_worker_role
      username: system:node:{{EC2PrivateDNSName}}
  mapUsers: |
    - groups:
      - system:developers
      userarn: arn:aws:iam::xxx:user/yyy
      username: yyy
....
user6826691
  • 1,813
  • 9
  • 37
  • 74

1 Answers1

3

Its already mentioned that user dosen't have access to eks:AccessKubernetesApi in error.

Just add this to the IAM role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "eks:AccessKubernetesApi",
                "eks:ListFargateProfiles",
                "eks:DescribeNodegroup",
                "eks:ListNodegroups",
                "eks:DescribeFargateProfile",
                "eks:ListTagsForResource",
                "eks:ListUpdates",
                "eks:DescribeUpdate",
                "eks:DescribeCluster",
                "eks:ListClusters"
            ],
            "Resource": "*"
        }
    ]
}
Atul Sharma
  • 9,397
  • 10
  • 38
  • 65
  • i think there is no such action called "eks:AccessKubernetesApi" "IAM does not recognize one or more actions. The action name might include a typo or might be part of a previewed or custom service. Learn more – user6826691 Dec 03 '20 at 23:05
  • 2
    actually Atul Sharma is right and that should fix the issue for now, I have tested same on my test user where I was getting the exact same error where I have explicit deny for "eks:AccessKubernetesApi" – Mech Dec 04 '20 at 16:46
  • But doesn't this give access to the user to all the k8s APIs? The user would now be able to create & delete as well. – Mukund Jalan Jan 04 '22 at 06:34