0

I know when you create an EKS cluster, only the user that created a cluster has access to it. In order to allow someone else to access the cluster, you need to add that user to the aws-auth. I know how i can do it manually but I want to do it using cloud formation as automation, Can someone please guide me about it? Thanks in advance

Ahsan Saleem
  • 7
  • 3

1 Answers1

0

This should suffice your need to Manage aws-auth ConfigMap from within CloudFormation. Using Type: "AWSQS::EKS::Cluster" third party extension

To activate the resource type in your account go here https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/registry/public-extensions/details/schema?arn=arn:aws:cloudformation:us-east-1::type/resource/408988dff9e863704bcc72e7e13f8d645cee8311/AWSQS-EKS-Cluster

,then choose the AWS Region you would like to use it in and click Activate.

Example code:

AWSTemplateFormatVersion: "2010-09-09"
Parameters:
  SubnetIds:
    Type: "List<AWS::EC2::Subnet::Id>"
  SecurityGroupIds:
    Type: "List<AWS::EC2::SecurityGroup::Id>"
Resources:
  myCluster:
    Type: "AWSQS::EKS::Cluster"
    Properties:
      RoleArn: !GetAtt serviceRole.Arn
      KubernetesNetworkConfig:
        ServiceIpv4Cidr: "192.168.0.0/16"
      ResourcesVpcConfig:
        SubnetIds: !Ref SubnetIds
        SecurityGroupIds: !Ref SecurityGroupIds
        EndpointPrivateAccess: true
        EndpointPublicAccess: false
      EnabledClusterLoggingTypes: ["audit"]
      KubernetesApiAccess:
        Users:
          - Arn: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:user/my-user"
            Username: "CliUser"
            Groups: ["system:masters"]
        Roles:
          - Arn: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/my-role"
            Username: "AdminRole"
            Groups: ["system:masters"]
      Tags:
        - Key: ClusterName
          Value: myCluster
  serviceRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal: { Service: eks.amazonaws.com }
            Action: sts:AssumeRole
      Path: "/"
      ManagedPolicyArns:
        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonEKSClusterPolicy'
        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonEKSServicePolicy'

https://github.com/aws-quickstart/quickstart-amazon-eks-cluster-resource-provider

An AWS CloudFormation resource provider for modelling Amazon EKS clusters. It provides some additional functionality to the native AWS::EKS::Cluster resource type:

Additional info: EKS Quick start template that Deploys the EKS control plane,

https://github.com/aws-quickstart/quickstart-amazon-eks/blob/master/templates/amazon-eks-controlplane.template.yaml

Balaram
  • 1
  • 1
  • While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. – Nol4635 Jul 01 '22 at 22:36