How do I resolve an unauthorized server error when I connect to the Amazon EKS API server?

Last updated: 2022-06-23

When using kubectl commands to connect to the Amazon Elastic Kubernetes Service (Amazon EKS) API server I receive the message "error: You must be logged in to the server (Unauthorized)" How do I resolve this?

Short description

Before you connect to the Amazon EKS API server, install and configure the latest version of the AWS Command Line Interface (AWS CLI).

Next, the cluster admin must complete the steps in one of the following sections:

  • You're the cluster creator
  • You're not the cluster creator

Finally, the person who received the error must complete the steps in the You're the user or role that received the error section.

Resolution

You're the cluster creator

1.    To see the configuration of your AWS CLI user or role, run the following command:

$ aws sts get-caller-identity

The output returns the Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) user or role. For example:

{
    "UserId": "XXXXXXXXXXXXXXXXXXXXX",
    "Account": "XXXXXXXXXXXX",
    "Arn": "arn:aws:iam::XXXXXXXXXXXX:user/testuser"
}

2.    Confirm that the ARN matches the cluster creator.

3.    Update or generate the kubeconfig file using one of the following commands.

As the IAM user, run the following command:

$ aws eks update-kubeconfig --name eks-cluster-name --region aws-region

Note: Replace eks-cluster-name with your cluster name. Replace aws-region with your AWS Region.

As the IAM role, run the following command:

$ aws eks update-kubeconfig --name eks-cluster-name --region aws-region --role-arn arn:aws:iam::XXXXXXXXXXXX:role/testrole

Note: Replace eks-cluster-name with your cluster name. Replace aws-region with your AWS Region.

4.    To confirm that the kubeconfig file is updated, run the following command:

$ kubectl config view --minify

5.    To confirm that your IAM user or role is authenticated, run the following command:

$ kubectl get svc

The output should be similar to the following:

NAME            TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
kubernetes      ClusterIP   10.100.0.1     <none>        443/TCP   77d

Note: EKS maps the cluster creator IAM role on the control plane side as kubernetes-admin. If API server logging was activated when the cluster was created, the entity creator can be queried. Run the following command in CloudWatch Insights:

fields @logStream, @timestamp, @message
| sort @timestamp desc
| filter @logStream like /authenticator/
| filter @message like "username=kubernetes-admin"
| limit 50

This query returns the IAM entity that is mapped as the cluster creator. Assume the IAM entity role that you receive in the output and make kubectl calls to the cluster again.

You're not the cluster creator

1.    To see the configuration of your AWS CLI user or role, run the following command:

$ aws sts get-caller-identity

The output returns the ARN of the IAM user or role.

2.    Ask the cluster owner or admin to add your IAM user or role to aws-auth ConfigMap.

Note: If you have the correct IAM permissions, then you can use AssumeRole to log in as the cluster creator.

3.    To edit aws-auth ConfigMap in a text editor, the cluster owner or admin must run the following command:

$ kubectl edit configmap aws-auth --namespace kube-system

Note: For the AWS IAM Identity Center (successor to AWS Single Sign-On) RoleARN, be sure to remove the '/aws-reserved/sso.amazonaws.com/REGION' from the rolearn url, or the arn will not be able to authorize you as a valid user.

4.    To add an IAM user or IAM role, complete one of the following steps.

Add the IAM user to mapUsers. For example:

mapUsers: |
  - userarn: arn:aws:iam::XXXXXXXXXXXX:user/testuser
    username: testuser
    groups:
      - system:masters

Note: Replace testuser with your user name.

Add the IAM role to mapRoles. For example:

mapRoles: |
  - rolearn: arn:aws:iam::XXXXXXXXXXXX:role/testrole
    username: testrole
    groups:
      - system:masters

Note: Replace testrole with your role.

The value for username in the mapRoles section accepts lowercase characters only. The IAM role should be mapped without the path. To learn more about rolean path requirements, expand the aws-auth ConfigMap does not grant access to the cluster section in Troubleshooting IAM.

The system:masters group allows superuser access to perform any action on any resource. For more information, see Default roles and role bindings.

You're the user or role that received the error

1.    To update or generate the kubeconfig file after aws-auth ConfigMap is updated, run either of the following commands.

As the IAM user, run the following command:

$ aws eks update-kubeconfig --name eks-cluster-name --region aws-region

Note: Replace eks-cluster-name with your cluster name. Replace aws-region with your AWS Region.

2.    As the IAM role, run the following command:

$ aws eks update-kubeconfig --name eks-cluster-name --region aws-region --role-arn arn:aws:iam::XXXXXXXXXXXX:role/testrole

Note: Replace eks-cluster-name with your cluster name. Replace aws-region with your AWS Region.

3.    To confirm that the kubeconfig file is updated, run the following command:

$ kubectl config view --minify

4.    To confirm that your IAM user or role is authenticated, run the following command:

$ kubectl get svc

You should see output similar to the following:

NAME            TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
kubernetes      ClusterIP   10.100.0.1     <none>        443/TCP   77d

Note: If you continue to receive errors, then review the troubleshooting guidelines Using RBAC Authorization.


Did this article help?


Do you need billing or technical support?