Add IAM Users to AWS-AUTH config to access EKS Cluster

Hey NetHeads!! In recent times, I have come across a scenario to enable access to the IAM users to perform actions on EKS cluster. After searching in google, all I ended up is to update the aws-auth config map manually to map the user to the mapUsers.

In this story, I’ll walk you through an automated way to add/remove users from the config map using Terraform.

Before you start

It’s not working for me…

Here you go, make sure to install the below softwares before you gear up to add users.

• Terraform (> 0.14)
• AWS Account
• Access to AWS account (To create EKS Cluster)

Setting IAM User Group

1. Login to the AWS console and go to IAM service.
2. Go to User groups and click the Create group button.
3. Enter a meaningful name to identify the group.
   For example: eks-user-group

4. Attach EKS Permission policy to the above group and click the Create group button.

Setting IAM User

We will now create a user and map to the user group created above to provision EKS cluster access.

1. Login to the AWS console and go to IAM service.
2. Go to Users and click the Add usersbutton.
3. Enter a meaningful username — eks-developer and choose AWS credentials type as Access Key

4. Choose the user group created above

5. Ignore the tags and click on Create user button.

Now that we have a user and user group, let’s write a terraform script to enable access to EKS cluster for the all users added to the eks-user-group.

Terraform Script

We will make use of the terraform data source to get the user group

data "aws_iam_group" "developer_iam_group" {
  group_name = "eks-user-group"
}

Now, let’s include the below snippet to iterate over the IAM group data and fetch users.

locals {
  users_map_obj = [
  for user in data.aws_iam_group.developer_iam_group.users: {
    userarn: user.arn
    username: user.user_name
    groups: tolist(["system:masters"])
  }
  ]
}

The local variable users_map_obj will hold the list of users to be mapped to the aws-auth config to enable access to the EKS Cluster.

Now, you can configure the aws-auth by passing the local variable users_map_obj to the eks module’s input variable map_users .

module "eks" {
  source       = "terraform-aws-modules/eks/aws"
  version      = "17.24.0"
  cluster_name = local.cluster_name
  cluster_version = "1.20"
  subnets      = module.vpc.private_subnets
  map_users    = local.users_map_obj
// custom code here
}

This will enable the developer to update the aws-auth config programmatically by running the terraform script, whenever a new IAM user is added or removed from a configured IAM user group.

Now, I can play around with EKS Cluster