These instructions explain how to access Amazon EKS cluster from a destination machine by somebody who does not have an AWS account. The cluster is created on a source machine.
Create a new policy. Call it AmazonEKSDescribeClusterPolicy and use the following JSON fragment:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "eks:DescribeCluster",
"Resource": "*"
}
]
}
myeks. Assign the previously created policy to this group.myuser, enable programmatic access, add user to the myeks group.csv file and share the credentials out of bandGrab the user ARN:
USER_ARN=$(aws iam get-user --user-name myuser --query User.Arn --output text)
Add IAM user to aws-auth ConfigMap for the EKS cluster:
USER=" mapUsers: |\n - userarn: $USER_ARN\n username: myuser\n groups:\n - system:masters"
kubectl get -n kube-system configmap/aws-auth -o yaml | awk "/data:/{print;print \"$USER\";next}1" > /tmp/aws-auth-patch.yml
kubectl patch configmap/aws-auth -n kube-system --patch "$(cat /tmp/aws-auth-patch.yml)"
aws configure command will configure the CLI using the given credentials. Make sure to choose the same region in which the EKS cluster is created, for example us-west-2. Choose json as the output format.aws-iam-authenticator as explained at https://docs.aws.amazon.com/eks/latest/userguide/install-aws-iam-authenticator.html and include in PATHkubectl as explained at https://docs.aws.amazon.com/eks/latest/userguide/install-kubectl.htmleksctl as explained at https://eksctl.ioGenerate configuration file to access the EKS Cluster:
eksctl utils write-kubeconfig \
--name myeks \
--kubeconfig ./kubeconfig
Use kubeconfig to access the cluster:
kubectl --kubeconfig ./kubeconfig get nodes
Optionally, set KUBECONFIG environment variable:
export KUBECONFIG=`pwd`/kubeconfig
And then get nodes as:
kubectl get nodes