Overview

AWS Elastic Kubernetes Service (EKS) allows seamless deployment, management, and scaling of containerized applications using Kubernetes. Amazon Web Services (AWS) Single Sign-On (SSO) can be used to manage access to your AWS resources, including EKS clusters. Granting EKS cluster permissions to AWS SSO users involves setting up roles, managing policies, and configuring AWS SSO accordingly. In this article, we will discuss the step-by-step process to provide AWS SSO users access to an EKS cluster, including examples and technical explanations.

Prerequisites

Before we dive into granting permission, ensure you meet the following prerequisites:

• An AWS account with administrative access.
• An existing EKS cluster.
• AWS CLI and `kubectl` installed and configured.
• AWS SSO already set up in your AWS account.

Setting Up AWS IAM Roles for EKS Access

Step 1: Create an IAM Role for SSO Access

To provide an AWS SSO user with the necessary permissions to access an EKS cluster, you need to create an IAM role that can be assumed by AWS SSO.

1. Open the IAM console.
2. Choose Roles and then Create role.
3. Under Select trusted entity, choose AWS service.
4. Select EC2 from the list and click Next: Permissions.
5. In the search bar, type `AmazonEKSClusterPolicy` and select the corresponding policy to attach it to the role.
6. Click on Next: Tags and optionally add tags for easier management.
7. Click Next: Review, provide a Role name such as `EKS-SSO-AccessRole`, and finally hit Create role.

Step 2: Edit the Trust Relationship

1. In the IAM roles section, click on your newly created role.
2. Under the Trust relationships tab, select Edit trust relationship.
3. Modify the policy to allow AWS SSO to assume this role. Replace the placeholders with your AWS account ID and SSO principal:
   • `AmazonEKSClusterPolicy`
   • `AmazonEKSWorkerNodePolicy`
   • `AmazonEKS_CNI_Policy`
   • Custom inline policy for SSO permissions.