Cross AWS Account to Manage EKS Cluster Using kubectl
2024年06月15日
Account A:
Account ID: 123456789012
IAM role: roleA
Account B:
Account ID: 111122223333
IAM role: roleB
IAM role A on the same AWS account as the EKS cluster:
This IAM role has been attached with the following policy:
Role B
Role B is actually the instance profile that associated to the EC2 instance, which is used to remotely execute management commands to the container stack, e.g., kubectl, istioctl and etc.
Besides other necessary IAM permissions, this IAM role has been attached with the following policy:
If error message "error: You must be logged in to the server (Unauthorized)" is received while using kubectl commands to connect to the Amazon EKS API server, refer to How to Handle Error: "You must be logged in to the server (Unauthorized)".
On the container stack management server, configure the config file to obtain the credentials from the hosting Amazon EC2 instance metadata.
Content of the config file
# aws eks update-kubeconfig --region <Region> --name <eks-cluster-name>
Output:
Configuration and credential file settings
In order for kubectl to find and access a Kubernetes cluster, it needs a kubeconfig file. By default, kubectl configuration is located at ~/.kube/config.
Get the latest version of aws-iam-authenticator
Get the latest version of aws-iam-authenticator from https://us-west-2.console.aws.amazon.com/s3/buckets/amazon-eks?region=us-west-2&bucketType=general&tab=objects
Architecture
Account A:
Account ID: 123456789012
IAM role: roleA
Account B:
Account ID: 111122223333
IAM role: roleB
IAM role A on the same AWS account as the EKS cluster:
This IAM role has been attached with the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:DescribeCluster"
],
"Resource": "arn:aws:eks:<region>:111122223333:cluster/<eks-cluster-name>"
}
]
}
Trust relationships:{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/roleB"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Role B
Role B is actually the instance profile that associated to the EC2 instance, which is used to remotely execute management commands to the container stack, e.g., kubectl, istioctl and etc.
Besides other necessary IAM permissions, this IAM role has been attached with the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::111122223333:role/roleA"
},
{
"Effect": "Allow",
"Action": [
"eks:DescribeCluster"
],
"Resource": "arn:aws:eks:<region>:111122223333:cluster/<eks-cluster-name>"
}
]
}
If error message "error: You must be logged in to the server (Unauthorized)" is received while using kubectl commands to connect to the Amazon EKS API server, refer to How to Handle Error: "You must be logged in to the server (Unauthorized)".
On the container stack management server, configure the config file to obtain the credentials from the hosting Amazon EC2 instance metadata.
Content of the config file
.aws/config:[default] role_arn=arn:aws:iam::111122223333:role/roleA credential_source=Ec2InstanceMetadata region = <region>
# aws eks update-kubeconfig --region <Region> --name <eks-cluster-name>
Output:
Added new context arn:aws:eks:<region>:111122223333:cluster/<eks-cluster-name> to /root/.kube/config
References
Configuration and credential file settings
Archived
Verify kubectl configurationIn order for kubectl to find and access a Kubernetes cluster, it needs a kubeconfig file. By default, kubectl configuration is located at ~/.kube/config.
Get the latest version of aws-iam-authenticator
Get the latest version of aws-iam-authenticator from https://us-west-2.console.aws.amazon.com/s3/buckets/amazon-eks?region=us-west-2&bucketType=general&tab=objects