If you are using AWS IAM Identity Center and grant a role access to an AWS EKS (Elastic Kubernetes Service) and you are unable to access the cluster when you run a KubeCTL command. You have probably mapped the role ARN in your AWS-Auth ConfigMap, but you still cannot access the resources. Today, I’m going to show you how to fix this error.
The error itself is very self-explanatory. It means that the identity you are using is not mapped in your aws-auth ConfigMap file. You can get your identity by using the following command.
aws sts get-caller-identity
The output should be:
{
"UserId": "MHJASP3JQH33XASR4QUJH:email@domain.com",
"Account": "123456789101",
"Arn": "arn:aws:sts::123456789101:assumed-role/AWSReservedSSO_AdministratorAccess_kjyt2f5261711363/email@domain.com"
}
If you have used the STS ARN, that is incorrect; you should be using the IAM one. Let's go to the IAM console.
You have probably already done this, and at this point, you are wondering that this is exactly what you did and why does it not work. Will the role has some extra stuff that EKS does not recognize as the role itself. Let’s fix that. You need to remove the /aws-reserved/sso.amazonaws.com/us-west-2
arn:aws:iam::123456789101:role/AWSReservedSSO_AdministratorAccess_kjyt2f5261711363
Now that the role ARN is corrected, add this to your aws-auth ConfigMap, and you should be able to access the EKS Cluster.
- groups:
- system:masters
rolearn: arn:aws:iam::123456789101:role/AWSReservedSSO_AdministratorAccess_kjyt2f5261711363
username: master:{{SessionName}}
That is it, and hopefully, I saved you some time looking up this error.