How do I resolve an unauthorized server error when I connect to the Amazon EKS API server?

Last updated: 2020-01-20

I get the message "error: You must be logged in to the server (Unauthorized)" when I use kubectl commands to connect to the Amazon Elastic Kubernetes Service (Amazon EKS) API server. How can I resolve this error?

Short Description

Before you connect to the Amazon EKS API server, install and configure the latest version of the AWS Command Line Interface (AWS CLI).

Then, the cluster admin must complete the steps in one of the following sections:

  • You're the cluster creator
  • You're not the cluster creator

Finally, the person who received the error must complete the steps in the You're the user or role that received the error section.

Resolution

You're the cluster creator

If you create the cluster, then complete the following steps:

1.    To see the configuration of your AWS CLI user or role, run the following command:

$ aws sts get-caller-identity

The output returns the Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) user or role. See the following example:

{
    "UserId": "XXXXXXXXXXXXXXXXXXXXX",
    "Account": "XXXXXXXXXXXX",
    "Arn": "arn:aws:iam::XXXXXXXXXXXX:user/testuser"
}

2.    Confirm that the ARN matches the cluster creator.

3.    Update or generate the kubeconfig file using one of the following commands.

As the IAM user, run the following command:

$ aws eks update-kubeconfig --name eks-cluster-name --region aws-region

Note: Replace eks-cluster-name with your cluster name. Replace aws-region with your AWS Region.

As the IAM role, run the following command:

$ aws eks update-kubeconfig --name eks-cluster-name --region aws-region --role-arn arn:aws:iam::XXXXXXXXXXXX:role/testrole

Note: Replace eks-cluster-name with your cluster name. Replace aws-region with your AWS Region.

4.    To confirm that the kubeconfig file is updated, run the following command:

$ kubectl config view --minify

5.    To confirm that your IAM user or role is authenticated, run the following command:

$ kubectl get svc

You should see output similar to the following:

NAME            TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
kubernetes      ClusterIP   10.100.0.1     <none>        443/TCP   77d

You're not the cluster creator

If you didn't create the cluster, then complete the following steps:

1.    To see the configuration of your AWS CLI user or role, run the following command:

$ aws sts get-caller-identity

The output returns the ARN of the IAM user or role.

2.    Ask the cluster owner or admin to add your IAM user or role to aws-auth ConfigMap.

3.    To edit aws-auth ConfigMap in a text editor, the cluster owner or admin must run the following command:

$ kubectl edit configmap aws-auth -n kube-system

4.    To add an IAM user or IAM role, complete either of the following steps.

Add the IAM user to mapUsers. See the following example:

mapUsers: |
  - userarn: arn:aws:iam::XXXXXXXXXXXX:user/testuser
    username: testuser
    groups:
      - system:masters

Add the IAM role to mapRoles. See the following example:

mapRoles: |
  - rolearn: arn:aws:iam::XXXXXXXXXXXX:role/testrole
    username: testrole
    groups:
      - system:masters

Note: The system:masters group allows superuser access to perform any action on any resource. For more information, see Default Roles and Role Bindings.

You're the user or role that received the error

If you received the error, complete the following steps:

1.    To update or generate the kubeconfig file after aws-auth ConfigMap is updated, run either of the following commands.

As the IAM user, run the following command:

$ aws eks update-kubeconfig --name eks-cluster-name --region aws-region

Note: Replace eks-cluster-name with your cluster name. Replace aws-region with your AWS Region.

2.    As the IAM role, run the following command:

$ aws eks update-kubeconfig --name eks-cluster-name --region aws-region --role-arn arn:aws:iam::XXXXXXXXXXXX:role/testrole

Note: Replace eks-cluster-name with your cluster name. Replace aws-region with your AWS Region.

3.    To confirm that the kubeconfig file is updated, run the following command:

$ kubectl config view --minify

4.    To confirm that your IAM user or role is authenticated, run the following command:

$ kubectl get svc

You should see output similar to the following:

NAME            TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
kubernetes      ClusterIP   10.100.0.1     <none>        443/TCP   77d

Note: If you continue to receive errors, then see Using RBAC Authorization for troubleshooting guidelines.