amazon-eks-single-sign-on-using-aws-sso
https://aws.amazon.com/blogs/containers/a-quick-path-to-amazon-eks-single-sign-on-using-aws-sso/
You have AD enabled and SSO for AWS is integrated. If not Please follow link.
Now add these users to AWS SSO app:
Gotot aure directory --> enterprize app --> select your app
We have added both eksadmin and eksreadonly users to app.
Let's verify users in AWS console as well:
Create aws-auth identity mapping for EKSClusterAdminAccess role.
aws-auth cm before:
# kubectl get cm aws-auth -n kube-system -o yaml
apiVersion: v1
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::176886134554:role/eksctl-eksdemo-nodegroup-eksdemo-n-NodeInstanceRole-GH9DKQBuxdha
username: system:node:{{EC2PrivateDNSName}}
kind: ConfigMap
metadata:
creationTimestamp: "2024-03-16T05:56:45Z"
name: aws-auth
namespace: kube-system
resourceVersion: "1416"
uid: 210a92e9-2b43-4395-b002-69a9d7549d78
create Identity mapping:
eksctl create iamidentitymapping \
--cluster eksdemo \
--arn arn:aws:iam::176886134554:role/AWSReservedSSO_ReadOnlyAccess_c77f42e70907aa5d \
--username cluster-view-only \
--group system:reader \
--region us-east-1
eksctl create iamidentitymapping \
--cluster eksdemo \
--arn arn:aws:iam::176886134554:role/AWSReservedSSO_AdministratorAccess_026e0779fc59ced0 \
--username cluster-admin \
--group system:masters \
--region=us-east-1
kubectl get cm aws-auth -n kube-system -o yaml
apiVersion: v1
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::176886134554:role/eksctl-eksdemo-nodegroup-eksdemo-n-NodeInstanceRole-GH9DKQBuxdha
username: system:node:{{EC2PrivateDNSName}}
- groups:
- system:reader
rolearn: arn:aws:iam::176886134554:role/AWSReservedSSO_ReadOnlyAccess_c77f42e70907aa5d
username: cluster-view-only
- groups:
- system:masters
rolearn: arn:aws:iam::176886134554:role/AWSReservedSSO_AdministratorAccess_026e0779fc59ced0
username: cluster-admin
mapUsers: |
[]
kind: ConfigMap
Now let's create role and their role binding of groups system:reader and system:masters with viewonly and cluster-admin roles respectively.
kubectl apply -f cluster-admin-rolebinding.yaml
kubectl apply -f cluster-admin-rolebinding.yaml
kubectl apply -f cluster-viewonly.yaml
kubectl apply -f cluster-viewonly-rolebinding.yaml
Now generate the sso profile for admin user first:
C:\Users\tushar dashpute\.aws> **aws configure sso**
SSO session name (Recommended): eksadmin
SSO start URL [None]: https://d-9067fba349.awsapps.com/start#
SSO region [None]: us-east-1
SSO registration scopes [sso:account:access]: eksadmin
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
https://device.sso.us-east-1.amazonaws.com/
Then enter the code:
KDPM-SDTF
The only AWS account available to you is: 176886134554
Using the account ID 176886134554
The only role available to you is: AdministratorAccess
Using the role name "AdministratorAccess"
CLI default client Region [us-east-1]:
CLI default output format [json]:
CLI profile name [AdministratorAccess-176886134554]:
To use this profile, specify the profile name using --profile, as shown:
aws s3 ls --profile AdministratorAccess-176886134554
Now verify the AWS profile:
Generate the kubeconfig with this admin sso role:
Let's try to create a sample deployment with this user and then delete it:
If you look at the kubeconfig you can see user authentication is done using the AWS_PROFILE AdministratorAccess-176886134554
Now generate the sso profile for viewonly user first:
We got the error for deployment creation as user is not having permission to create deployment.
If you look at the kubeconfig you can see user authentication is done using the AWS_PROFILE ReadOnlyAccess-176886134554