amazon-web-serviceskubernetesamazon-iamamazon-ekseksctl

Your current user or role does not have access to Kubernetes objects on this EKS cluster

Don't know if this is an error from AWS or something. I created an IAM user and gave it full admin policies. I then used this user to create an EKS cluster using the eksctl CLI but when I logging to AWS console with the root user I got the below error while trying to access the cluster nodes.

Your current user or role does not have access to Kubernetes objects on this EKS cluster This may be due to the current user or role not having Kubernetes RBAC permissions to describe cluster resources or not having an entry in the cluster’s auth config map.

I have these questions

  1. Does not the root user have full access to view every resource from the console?
  2. If the above is true, does it mean when I create a resource from the CLI I must login with the same user to view it?
  3. Or is there way I could attach policies to the root user? Didn't see anything like in the console.

AWS itself does not recommend creating access keys for root user and using it for programmable access, so I'm so confused right now. Someone help

All questions I have seen so far and the link to the doc here are talking about a user or role created in the AWS IAM and not the root user.

Solution

  • Note: aws-auth configmap is now depreciated. See my current answer below the old one.

    I had this issue today, and solved it by combining answers here. The aws-auth config after it worked looks like this:

    apiVersion: v1
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::671177010163:role/eksctl-manu-eks-new2-nodegroup-ng-NodeInstanceRole-1NYUHVMYFP2TK
      username: system:node:{{EC2PrivateDNSName}}
  mapUsers: "- groups: \n  - system:masters\n  userarn: arn:aws:iam::671177010163:root\n"
kind: ConfigMap
metadata:
  creationTimestamp: "2022-02-13T11:03:30Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "11362"
  uid: ac36a1d9-76bc-40dc-95f0-b1e7934357

    New Method: The recommended way for IAM Access to EKS resources is now via Access Entries. These can be created on the AWS console, CLI.

    AWS Doc: https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html

    https://github.com/aws/containers-roadmap/issues/185

    In short:

    1. Make sure your EKS cluster shows EKS API as one of the authentication modes under Access tab.
    2. Create an Access Entry in the same tab. Select Standard as type, enter the IAM User ARN. Leave username blank. Set the Access Policy as AmazonEKSClusterAdminPolicy if you want an IAM principal to have administrator access to all resources on your cluster.

    This new approach solves many of the problems with using aws-auth.