How Do You Create an AWS User with Web Console Access to View EKS Clusters in the AWS Console?

One of the following problem scenarios apply.

Problem scenario #1
You want an AWS user to be able to log into the web console and view EKS clusters.  How do you do this?

OR

Problem scenario #2
You are using AWS and when you log into the AWS Console via a web browser with a user who is a member of a Group with two EKS policies, you go to Amazon EKS. But you see this error:

"AccessDeniedException User: arn:aws:iam::12345678910:user/funuser is not authorized to perform: eks:ListClusters on resource: arn:aws:eks:us-west-2:12345678910:cluster/*"

Can an IAM Role be used with the web console? How do you create an AWS user with web console access to view EKS clusters in the AWS Console?

Solution
Prerequisites

i.  This solution assumes you have an AWS user created with console access.  If you need help with this, see this posting.

ii.  This solution assumes the user has two EKS policies apply (either through a group or through direct attachment).  If you need help with this, see this posting.

iii. This assumes you have an ARN for a role that can manage Kubernetes clusters.  If you need help with creating this IAM Role that can manage Kubernetes/EKS clusters, see this posting.

If the role exists and you need help finding/determining the ARN, do either a or b below:

a.  If you have AWS CLI configured for the region that has a cluster in EKS, run this command to find the ARN: aws sts get-caller-identity

b.  If the role has already been created and you need help determining this, go here: https://console.aws.amazon.com/iam/home?
Then go to "Roles" on the left.  Find the name i.e., "goodrole" and click on it as it should be hyperlinked.  The "Role ARN" should be near the top.  It will be in this format: "arn:aws:iam::12345678910:role/rolename"  
You will need this value later.

Procedures
1.  Log into the AWS console.
2.  Go to this link: https://console.aws.amazon.com/iam/
3.  Go to "Policies" then click "Create policy."  
4.  Go to the JSON tab.  Paste this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eks:*"
            ],
            "Resource": "*"
        }
    ]
}

5.  Click "Review policy".
6.  Enter any name you want.  Remember the name for later.
7.  Click "Create Policy".
8.  Go to "Policies" then click "Create policy."  
9.  Go to the JSON tab.  Paste this but replace "arn:aws:iam::12345678910:role/rolename" with the ARN of the role that allows for the managing of EKS clusters*:

{
    "Version": "2012-10-17",
    "Statement": [
    {
        "Sid": "PolicyStatementToAllowUserToPassOneSpecificRole",
        "Effect": "Allow",
        "Action": [ "iam:PassRole" ],
        "Resource": "arn:aws:iam::12345678910:role/rolename"
    }
    ]
}

10.  Click "Review policy".
11.  Enter any name you want.  Remember this name for later too.
12.  Click "Create Policy".
13.  Click on "Users" on the left.
14.  Click on the user that you want to be able to have full EKS rights (the user with the problem).
15.  Click on the "Permissions" tab then the "Add permissions" button.
16.  At the top, click on  "Attach existing policies directly."
17.  Select each of the two policies created earlier (based on their custom names from steps #6 and #11 above).
18.  Click "Next: Review".
19.  Click "Add permissions".
20.  Now you are done.  The user may have to refresh the web UI (but not necessarily log out).


* To find this go to IAM -> Roles and click on the Role you want to find.

Leave a comment

Your email address will not be published. Required fields are marked *