How to give access to Federrated Users to EKS cluster

Question

I am trying to add federated user to EKS cluster. So far I was able to add the IAM users to the cluster by adding them to configmap/aws-auth and adding clusterrolebinding. But i could not able to understand how to give access to the users who use SSO.

I tried to add the user in mapRoles by giving the roleARN with which users are getting authenticated from the identity provider. Here is the sample one i have added

  - groups:
  - cluster-admin
  - system:masters
  rolearn: arn:aws:iam::345XXXXXXXX:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AdministratorAccess_c3faf862c9becba7
  username: Vivek.Kella@XXXXX.com

Answer 1

You can provide access to federated users/roles by adding below section in aws-auth configmap.

Get current aws-auth configmap

kubectl get configmap/aws-auth -n kube-system -o json | Set-Content aws-auth.json

Load the JSON as an object

$jsonPayload = (Get-Content aws-auth.json | Out-String | ConvertFrom-Json)

Add federated user by adding below section in mapRoles section.

- rolearn: arn:aws:iam:<AWS account ID>:role/<federated role name>
  username: "{{SessionName}}"
  groups:
    - system:masters

Consolidated commands to execute in powershell

kubectl get configmap/aws-auth -n kube-system -o json | Set-Content aws-auth.json
$jsonPayload = (Get-Content aws-auth.json | Out-String | ConvertFrom-Json)
$federatedUsers =
>> @"
>> `n
>> - rolearn: arn:aws:iam::<AWS account ID>:role/AWSReservedSSO_xxxxxxxxx
>>   username: "{{SessionName}}"
>>   groups:
>>     - system:masters
>> - groups:
>>   - system:masters
>>   rolearn: arn:aws:iam::<AWS account ID>:role/<cluster created role>
>>   username: system:node:{{SessionName}}
>> "@
$jsonPayload.data.mapRoles = $federatedUsers
Set-Content aws-auth.json -Value ($jsonPayload | ConvertTo-Json -depth 10)
kubectl replace -n kube-system -f aws-auth.json

Reference link: https://octopus.com/blog/eks-federated-users