How do I resolve the "Your current user or role does not have access to Kubernetes objects on this EKS cluster" error in Amazon EKS?

Last updated: 2021-07-28

I receive the following error in Amazon Elastic Kubernetes Service (Amazon EKS): "Your current user or role does not have access to Kubernetes objects on this EKS cluster."

Short description

You receive this error when you use the AWS Management Console with an AWS Identity and Access Management (IAM) user or role. The error occurs specifically with an IAM user or role that's not in your Amazon EKS cluster's aws-auth ConfigMap.

When you create an Amazon EKS cluster, the IAM user or role is automatically granted system:masters permissions in the cluster's RBAC configuration. For example, the IAM user or role could be a federated user that creates the cluster. You can't see your Kubernetes workloads if you access the Amazon EKS console with IAM users or roles that aren't part of aws-auth ConfigMap. You also can't see the overview details for the cluster.

To grant additional AWS users or roles the ability to interact with your cluster, you must edit the aws-auth ConfigMap within Kubernetes.

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Configure permissions for IAM users or roles

1.    To find the cluster creator or admin role with primary permissions to configure your cluster, search for the CreateCluster API call in AWS CloudTrail. Then, check the userIdentity section of the API call.

Note: CloudTrail provides 90 days of history only.

2.    Identify the IAM user or role that requires permissions.

3.    Confirm that the identified IAM user or role has permissions to view nodes and workloads for all clusters in the AWS Management Console.

Map the IAM users or roles to the RBAC roles and groups using aws-auth ConfigMap

Important: Before you connect to the Amazon EKS API server, install and configure the latest version of the AWS CLI.

1.    Get the configuration of your AWS CLI user or role:

$ aws sts get-caller-identity

The output returns the Amazon Resource Name (ARN) of the IAM user or role. For example:

{
    "UserId": "XXXXXXXXXXXXXXXXXXXXX",
    "Account": "XXXXXXXXXXXX",
    "Arn": "arn:aws:iam::XXXXXXXXXXXX:user/testuser"
}

2.    Confirm that the ARN matches the cluster creator or the admin with primary access to configure your cluster. If the ARN doesn't match the cluster creator or admin, then contact the cluster creator or admin to update the aws-auth ConfigMap.

3.    To edit aws-auth ConfigMap in a text editor, the cluster creator or admin must run the following command:

$ kubectl edit configmap aws-auth -n kube-system

4.    To add an IAM user or role, complete either of the following steps.

Add the IAM user to mapUsers. For example:

mapUsers: |
  - userarn: arn:aws:iam::XXXXXXXXXXXX:user/testuser
    username: testuser
    groups:
    - system:bootstrappers
    - system:nodes

-or-

Add the IAM role to mapRoles. For example:

mapRoles: |
  - rolearn: arn:aws:iam::XXXXXXXXXXXX:role/testrole
    username: testrole    
    groups:
    - system:bootstrappers
    - system:nodes

Note: To allow superuser access for performing any action on any resource, add system:masters instead of system:bootstrappers and system:nodes. For more information, see Default roles and role bindings on the Kubernetes website.

5.    Check for the error in the Amazon EKS console. For example:

Error loading Namespaces
namespaces is forbidden: User "testuser" cannot list resource "namespaces" in API group "" at the cluster scope

If you see the preceding error, then skip to the Create a cluster role and cluster role binding, or a role and role binding section.

Create a cluster role and cluster role binding, or a role and role binding

The Kubernetes user or group that the IAM account or role is mapped to in the ConfigMap must be a subject in a role binding. The user or group can also be a subject in a cluster role binding. That is, a role binding or cluster role binding that's bound to a Kubernetes role or cluster role with permissions to view the Kubernetes resources. If the user or group doesn't have the necessary permissions, you could receive an "Unauthorized: Verify you have access to the Kubernetes cluster" error. To create roles and bindings, see Using RBAC authorization on the Kubernetes website.

Keep in mind the following: To view Kubernetes resources in all namespaces, you must create a cluster role and a cluster role binding. To view Kubernetes resources in specific namespace, you must create a role and role binding for that namespace.

To create a cluster role and cluster role binding:

1.    Download the manifest file:

https://s3.us-west-2.amazonaws.com/amazon-eks/docs/eks-console-full-access.yaml

Note: The group name in the downloaded file is eks-console-dashboard-full-access-group. This is the group that your IAM user or role must be mapped to in the aws-auth ConfigMap. For more information, see the "View Kubernetes resources in all namespaces" section of Managing users or IAM roles for your cluster.

2.    (Optional) Change the name of the group before applying the manifest file that you downloaded from step 1 to your cluster. Then, map your IAM user or role to that group in the ConfigMap. For example:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: eks-console-dashboard-full-access-clusterrole
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  - namespaces
  - pods
  verbs:
  - get
  - list
- apiGroups:
  - apps
  resources:
  - deployments
  - daemonsets
  - statefulsets
  - replicasets
  verbs:
  - get
  - list
- apiGroups:
  - batch
  resources:
  - jobs
  verbs:
  - get
  - list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: eks-console-dashboard-full-access-binding
subjects:
- kind: Group
  name: eks-console-dashboard-full-access-group
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: eks-console-dashboard-full-access-clusterrole
  apiGroup: rbac.authorization.k8s.io

3.    Deploy the manifest file:

$ kubectl apply -f eks-console-full-access.yaml

4.    Verify the creation of clusterrole and clusterrolebinding objects:

$ kubectl describe clusterrole.rbac.authorization.k8s.io/eks-console-dashboard-full-access-clusterrole
$ kubectl describe clusterrolebinding.rbac.authorization.k8s.io/eks-console-dashboard-full-access-binding

5.    Update your aws-auth ConfigMap with the new group eks-console-dashboard-full-access-group for your IAM entity:

$ kubectl edit configmap aws-auth -n kube-system

6.    Add the IAM user to mapUsers. For example:

mapUsers: |
  - userarn: arn:aws:iam::XXXXXXXXXXXX:user/testuser
    username: testuser
    groups:
    - system:bootstrappers
    - system:nodes
    - eks-console-dashboard-full-access-group

7.    Add the IAM role to mapRoles. For example:

mapRoles: |
  - rolearn: arn:aws:iam::XXXXXXXXXXXX:role/testrole
    username: testrole    
    groups:
    - system:bootstrappers
    - system:nodes
    - eks-console-dashboard-full-access-group

View Kubernetes resources in a specific namespace

1.    Download the manifest file:

https://s3.us-west-2.amazonaws.com/amazon-eks/docs/eks-console-restricted-access.yaml

Note: The group name in the file is eks-console-dashboard-restricted-access-group. This is the group that your IAM user or role must be mapped to in the aws-auth ConfigMap. For more information, see the "View Kubernetes resources in a specific namespace" section of Managing users or IAM roles for your cluster.

2.    (Optional) Change the name of the group before applying it to your cluster. Then, map your IAM user or role to that group in the ConfigMap. For example:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: eks-console-dashboard-restricted-access-clusterrole
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  - namespaces
  verbs:
  - get
  - list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: eks-console-dashboard-restricted-access-clusterrole-binding
subjects:
- kind: Group
  name: eks-console-dashboard-restricted-access-group
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: eks-console-dashboard-restricted-access-clusterrole
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: eks-console-dashboard-restricted-access-role
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
- apiGroups:
  - apps
  resources:
  - deployments
  - daemonsets
  - statefulsets
  - replicasets
  verbs:
  - get
  - list
- apiGroups:
  - batch
  resources:
  - jobs
  verbs:
  - get
  - list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: eks-console-dashboard-restricted-access-role-binding
  namespace: default
subjects:
- kind: Group
  name: eks-console-dashboard-restricted-access-group
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: eks-console-dashboard-restricted-access-role
  apiGroup: rbac.authorization.k8s.io

Note: The namespace in the preceding file is default. To specify a different namespace, edit the file before applying it to your cluster.

3.    Deploy the manifest:

$ kubectl apply -f eks-console-restricted-access.yaml

4.    Verify the creation of clusterrole and clusterrolebinding objects:

$ kubectl describe clusterrole.rbac.authorization.k8s.io/eks-console-dashboard-restricted-access-clusterrole
$ kubectl describe clusterrolebinding.rbac.authorization.k8s.io/eks-console-dashboard-full-access-binding
$ kubectl describe role.rbac.authorization.k8s.io/eks-console-dashboard-restricted-access-role
$ kubectl describe rolebinding.rbac.authorization.k8s.io/eks-console-dashboard-restricted-access-role-binding

5.    Update your aws-auth ConfigMap with the new group eks-console-dashboard-restricted-access-group for your IAM entity:

$ kubectl edit configmap aws-auth -n kube-system

6.    Add the IAM user to mapUsers. For example:

mapUsers: |
  - userarn: arn:aws:iam::XXXXXXXXXXXX:user/testuser
    username: testuser
    groups:
    - system:bootstrappers
    - system:nodes
    - eks-console-dashboard-restricted-access-group

7.    Add the IAM role to mapRoles. For example:

mapRoles: |
  - rolearn: arn:aws:iam::XXXXXXXXXXXX:role/testrole
    username: testrole    
    groups:
    - system:bootstrappers
    - system:nodes
    - eks-console-dashboard-restricted-access-group

Verify access to your Amazon EKS cluster

1.    Open the Amazon EKS console.

2.    In the Amazon EKS section the navigation pane, choose Clusters.

3.    Choose your cluster.

4.    Check the Overview and Workloads tabs for errors.

If you configured for a specific namespace, then you see the following error message in the Amazon EKS console:

Error loading Deployments
deployments.apps is forbidden: User "xxxxxx" cannot list resource "deployments" in API group "apps" at the cluster scope or in the namespace "xxxxxxx"

The error doesn't appear for the specific namespace.

To troubleshoot error messages, see Can't see workloads or nodes and receive an error in the AWS Management Console.


Did this article help?


Do you need billing or technical support?