i have one pretty old but uses the same principal RU-vid - ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-EGdN21F2Jfw.html Blog - antonputra.com/kubernetes/add-iam-user-and-iam-role-to-eks/
welcome! Kubernetes does not have RBAC groups objects you can only find them by describing bindings. my-viewer - github.com/antonputra/tutorials/blob/main/lessons/196/1-example/1-viewer-cluster-role-binding.yaml#L12C11-L12C20 my-admin - github.com/antonputra/tutorials/blob/main/lessons/196/2-example/admin-cluster-role-binding.yaml#L12
Hi Can you suggest when we give Iam user Iam user1 verbs list watch read for a specific role then how the user1 will list and watch the deployment, config map etc with utilizing their Iam user?
Sure, first you create RBAC role/cluster role, then you map that role with RBAC group for example viewer, then you create IAM user and map that user with viewer RBAC role using EKS API. I cover it in the video
@@AntonPutra thanks for quick reply, can you suggest the differences generally we create a role and role binding then generate a kubeconfig for that user and deployed the kubeconfig at user machine or profile but here we are using I am to authenticate so that time we are binding the same role of K8s with user to assume i,e here user will not require the kubeconfi file and user will manage via IAM user profile i.e if user will remove from AWS IAM then he or she will not be able to access and here you are using same machine to generate multiple profiles which should not be a good practice and we have to use either to create multiple users in single machine on aws jump server to connect? will appreciate to clear my doubts
@@Kk-rl7nv In the real world, most of the time, we would use federated users managed by Okta or Azure Active Directory. So, you, the user, will be able to assume roles from the get-go. You just add that role to the EKS. I didn't get the rest of the question.
I have a question, how to pass group arn for principal_arn variable under aws_eks_access_entry resource ? Where I try to pass the group arn directly It is getting failed."InvalidParameterException: The principalArn parameter format is not valid"
@@AntonPutra ok, Then every user we need to grant separately. Is there a way to assign it to group. I just want simplify access management with aws groups instead of individual users.
@@chandrashekharn6539 you can create IAM Group that would allow assuming IAM role to access EKS cluster, so in that way you only need to place your IAM user to that group only
@@chandrashekharn6539 1. Create IAM role “my-role” - github.com/antonputra/tutorials/blob/main/lessons/196/terraform/10-add-manager-role.tf#L3-L54 2. Create IAM group “my-group” 3. Create IAM policy “my-assume-policy” which would allow IAM user to assume “”my-role - github.com/antonputra/tutorials/blob/main/lessons/196/terraform/10-add-manager-role.tf#L60-L77 4. Create IAM user and place it in “my-group” IAM group 5. Bind EKS with IAM role “my-role” - github.com/antonputra/tutorials/blob/main/lessons/196/terraform/10-add-manager-role.tf#L85-L89
helo anton please advice, when I tried to update-kubeconfig with eks-admin it says: "when calling the DescribeCluster operation: The security token included in the request is invalid"
you have tried this? delete credentials and reconfigure? also try to clean aws cache stackoverflow.com/questions/34582318/how-can-i-resolve-the-error-the-security-token-included-in-the-request-is-inval
