Upgrade & Secure Your Future with DevOps, SRE, DevSecOps, MLOps!

We spend hours on Instagram and YouTube and waste money on coffee and fast food, but won’t spend 30 minutes a day learning skills to boost our careers.
Master in DevOps, SRE, DevSecOps & MLOps!

Learn from Guru Rajesh Kumar and double your salary in just one year.


Get Started Now!

Uncategorised

AWS Tutorials: How to manually grant your Federated IAM User access to kubectl in AWS EKS?

February 26, 2025 Leave a Comment

Thanks for pointing that out! The AWS EKS authentication method has changed in 2025, and the aws-auth ConfigMap is no longer used for adding IAM roles. Instead, IAM Access entries are managed under the Access tab in the AWS Console.

Here are the updated steps to manually grant your Federated IAM User access to kubectl in AWS EKS.

✅ Step 1: Identify Your Federated IAM Role

  1. Go to AWS Console → IAM → Roles
  2. Find the IAM Role associated with your Federated User (SSO/Federated Access).
  3. Copy the Role ARN, which looks like: arn:aws:iam::329599659644:role/<Federated-Role-Name>

✅ Step 2: Add the Federated IAM Role in EKS “Access” Tab

  1. Go to AWS Console → EKS → Your Cluster (evp-dev-eks)
  2. Click the Access tab.
  3. Click “Add IAM access entry”.
  4. Select IAM Role.
  5. Paste your Federated Role ARN (arn:aws:iam::329599659644:role/<Federated-Role-Name>).
  6. Assign a Cluster Role:
    • Choose Administrator Access (Full kubectl permissions) → system:masters
    • Alternatively, choose Read-Only Access (View-Only role).
  7. Click “Save Changes”.

✅ Step 3: Attach Required IAM Policies to the Federated Role

Your Federated IAM Role must have the following policies:

Attach Policies to Your Role

  1. Go to AWS Console → IAM → Roles → <Federated-Role-Name>
  2. Click Permissions → Attach Policies
  3. Add the following policies:
    • AmazonEKSClusterPolicy
    • AmazonEKSWorkerNodePolicy
    • AmazonEKSServicePolicy
    • eks:AccessKubernetesApi
  4. Click Attach Policy.

✅ Step 4: Update kubeconfig for Federated User

Once IAM access is set, update your local kubeconfig to reflect the changes:

aws eks update-kubeconfig --name evp-dev-eks --region ap-northeast-1 --role-arn arn:aws:iam::329599659644:role/<Federated-Role-Name>

Then test access:

kubectl get nodes

✅ Step 5: Verify Access

If kubectl get nodes still fails, check:

kubectl auth can-i list nodes --all-namespaces --verbose
  • If “yes”, you have access.
  • If “no”, IAM role or permissions need adjustment.

🎯 Summary of AWS 2025 EKS Changes

✅ The aws-auth ConfigMap is no longer used.
✅ IAM roles/users are now added via EKS “Access” Tab.
✅ Federated users need IAM role-based access via IAM access entries.

Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments

Certification Courses

DevOpsSchool has introduced a series of professional certification courses designed to enhance your skills and expertise in cutting-edge technologies and methodologies. Whether you are aiming to excel in development, security, or operations, these certifications provide a comprehensive learning experience. Explore the following programs:

DevOps Certification, SRE Certification, and DevSecOps Certification by DevOpsSchool

Explore our DevOps Certification, SRE Certification, and DevSecOps Certification programs at DevOpsSchool. Gain the expertise needed to excel in your career with hands-on training and globally recognized certifications.

0
Would love your thoughts, please comment.x
()
x