Enabling AWS Group to access AWS EKS cluster

Question

This question is essentially a duplicate of Adding IAM Group to aws-auth configmap in AWS EKS. However, the question does not have an accepted answer and I would like to provide more context.

I know that aws-auth ConfigMap object does not allow mapping AWS Group directly. A workaround would be to map an AWS Role instead. I tried that but were unable to get it working. Mapping an AWS User works without issues.

I setup an AWS Role arn:aws:iam::027755483893:role/development-readwrite with account 027755483893 as being the trusted entity and attached the following trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::027755483893:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

I setup an AWS Group arn:aws:iam::027755483893:group/development-readwrite and attached the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::027755483893:role/development-readwrite"
            ]
        }
    ]
}

I setup the aws-auth ConfigMap as follows:

apiVersion: v1
data:
  mapRoles: |
    # Other mappings omitted for clarity
    - groups:
      - system:masters
      rolearn: arn:aws:iam::027755483893:role/development-readwrite
  mapUsers: |
    []
kind: ConfigMap
metadata:
  creationTimestamp: "2019-08-21T08:25:15Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "62031092"
  selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
  uid: 33b33620-c3ed-11e9-83c0-029bc9dcca16

However, none of the users in the group have access to the cluster. Do the users need to explicitly assume role? Is there anything else I'm missing?

Answer 1

In this case the users indeed need to explicitly assume the role. The fact that the users can assume the role is not enough for them to actually have access to the cluster.

One approach that can simplify it for your users is by creating a kubeconfig with the aws get token call. This allows you to specify a role_arn of a role to assume for the cluster.