EKS SSO authentication
This is a short post on how to configure EKS authentication with AWS Federated Logins (Single Sign On).
After having your SSO configured and being able to log in to the AWS console you’ll also want to be able to use the awscli, for that you’ll need an entry similar to this one in your
The parameters you’ll want to change are:
sso-profile: The name of your awscli profile
domain: You’ll need to get this from whomever configured SSO
account-id: Your AWS account id
role-name: The role name containing the allowed policies
Setting up is also straightforward:
You can now look up the
role-name in your AWS IAM console, its ARN you’ll look something like this:
aws-reserved/sso.amazonaws.com/ bit, this will be relevant further ahead.
awsvault is a great tool to help you manage your AWS credentials/profiles, it’s easy to get it up and running. Once installed it will consult your
.aws/config and manage the credentials
of those profiles for you, the
list command gives you the list of profiles and associated credentials:
Adding credentials for the SSO profile is a matter of:
This should open up your browser and perform the authentication, after that you’re able to use it with any awscli commands:
aws-vault stores it’s secrets in
~/Library/Keychains/aws-vault.keychain-db, you’ll probably want to open that file with
Keychain Access tool should you ever need to delete things manually.
Now that we have our
aws-vault working we can apply it to Kubernetes authentication, let’s give it a spin:
Notice the JSON reply, it is an
ExecCredential k8s resource, this is the expected output format of whatever you add to your
aws-iam-authenticator is an app maintained by Kubernetes that takes care of this for us.
Below is an entry of
users section with the relevant changes:
Final thing left to do is informing the EKS cluster that this role is allowed to perform operations in the cluster, this is the tricky bit, to do that we’ll need to edit a ConfigMap in the cluster. This means you’ll need to already have access to the cluster, hopefully whoever created the cluster is around to help you in this part:
The relevant bit to add is beneath
Important thing to notice is the
roleArn field and the fact that it doesn’t contain the
aws-reserved/sso.amazonaws.com/ i mentioned at the beginning of the post. You’ll need to remove that otherwise you won’t be able to authenticate successfully (no idea why is that).
And that’s it, on MacOS now and then
aws-vault will request you to unlock the Keychain but that’s about it.