Hey NetHeads!! In recent times, I have come across a scenario to enable access to the IAM users to perform actions on EKS cluster. After searching in google, all I ended up is to update the aws-auth
config map manually to map the user to the mapUsers.
In this story, I’ll walk you through an automated way to add/remove users from the config map using Terraform.
Before you start
Here you go, make sure to install the below softwares before you gear up to add users.
- Terraform (> 0.14)
- AWS Account
- Access to AWS account (To create EKS Cluster)
Setting IAM User Group
- Login to the AWS console and go to IAM service.
- Go to
User groups
and click theCreate group
button. - Enter a meaningful name to identify the group.
For example:eks-user-group
4. Attach EKS Permission policy to the above group and click the Create group
button.
Setting IAM User
We will now create a user and map to the user group created above to provision EKS cluster access.
- Login to the AWS console and go to IAM service.
- Go to
Users
and click theAdd users
button. - Enter a meaningful username —
eks-developer
and choose AWS credentials type asAccess Key
4. Choose the user group created above
5. Ignore the tags and click on Create user
button.
Now that we have a user and user group, let’s write a terraform script to enable access to EKS cluster for the all users added to the eks-user-group
.
Terraform Script
We will make use of the terraform data
source to get the user group
data "aws_iam_group" "developer_iam_group" {
group_name = "eks-user-group"
}
Now, let’s include the below snippet to iterate over the IAM group data and fetch users.
locals {
users_map_obj = [
for user in data.aws_iam_group.developer_iam_group.users: {
userarn: user.arn
username: user.user_name
groups: tolist(["system:masters"])
}
]
}
The local variable users_map_obj
will hold the list of users to be mapped to the aws-auth
config to enable access to the EKS Cluster.
Now, you can configure the aws-auth
by passing the local variable users_map_obj
to the eks
module’s input variable map_users
.
module "eks" {
source = "terraform-aws-modules/eks/aws"
version = "17.24.0"
cluster_name = local.cluster_name
cluster_version = "1.20"
subnets = module.vpc.private_subnets
map_users = local.users_map_obj// custom code here}
This will enable the developer to update the aws-auth
config programmatically by running the terraform script, whenever a new IAM user is added or removed from a configured IAM user group.