AWS Credentials for EKS

kentune

Ken Tune

Posted on July 27, 2020

AWS Credentials for EKS

What you need to know before you can create AWS Kubernetes clusters using the command line

eksctl is the AWS command line utility allowing you to administer (e.g. setup/teardown) your AWS Kubernetes cluster. This article details how you configure the credentials you need to use the service. This article is useful as this is not detailed on the eksctl website and is non-trivial.

IAM Overview

Credentials in AWS are managed using IAM  -  AWS Identity and Access Management. Broadly speaking, you create policies which are granular aggregations of permissions on AWS objects. You associate these with groups to which you add users. If a user has been created for programmatic access use, the user will have an access key id and a secret access key which can be stored on disk for use in conjunction with the AWS command line interface. The same mechanism is used by eksctl.

In this article we set up the eksctl account in accordance with the principle of 'least privilege' - the account should have sufficient privileges to execute actions as needed, but no more.

Below we go through the steps in the above process in detail.

IAM Policy Setup

The eksctl website does not detail the set of IAM privileges needed to run eksctl, and trial and error is not recommended. Guidance can be found in issue 204 below however.

Alt Text

As this is still somewhat complicated (and incomplete) I'm going to make use of this, but simplify the process for you.

First of all pull down https://github.com/aerospike-examples/kubernetes-aws.


 bash
git clone https://github.com/aerospike-examples/kubernetes-aws
cd kubernetes-aws


Enter fullscreen mode Exit fullscreen mode

The policy you need is in eks.iam.policy.template. Some permissions however are account specific - you will see this if you look for the text account-id in eks.iam.policy.template - this needs replacing with your own account id.

Find your account id by logging into the AWS console. Select 'My Account'

Alt Text

You will see your account id in the next screen. Copy this.

Alt Text

From the kubernetes-aws project you just cloned, run


 bash
./make-policy.sh YOUR_ACCOUNT_ID


Enter fullscreen mode Exit fullscreen mode

The result will be saved as eks.iam.policy.

Copy the contents of eks.iam.policy to the clipboard.

Select the IAM Service in the AWS console (Services->IAM) and click 'Policies'

Alt Text

Next 'Create Policy'. Select 'JSON' rather than 'Visual Editor', remove the JSON you see and replace with the contents of eks.iam.policy. Your screen should look like

Alt Text

Now click 'Review Policy'. Give your policy a name e.g. EKS.

Alt Text

Finally click 'Create Policy', bottom right of the above screen.

IAM Group Setup

In this section we create an IAM group and add the EKS policy to it. 

Select 'Groups', from the left hand IAM menu.

Alt Text

Click 'Create New Group'. Give your group a name e.g. EKS.

Alt Text

Click 'Next Step'. Search for the policy you created and select.

Alt Text

Click 'Next Step', followed by 'Create Group'. You should see your new group, EKS, appear in the group listing screen.

Alt Text

Create IAM User

Now we create a user and associate with the EKS group. Select 'Users' from the left hand side menu above.

Alt Text

Click 'Add User'. Give your user a name e.g. EKS and check the 'programmatic access' access type.

Alt Text

Click 'Next: Permissions'. 'Add User To Group' will be selected by default. Check the 'EKS' group.

Alt Text

Click 'Next:Tags' followed by 'Next:Review' and finally 'Create User'. You will see the screen below.

Alt Text

Keep this screen in your browser - you will need it for the steps below.

AWS CLI Credential Setup

We are now in a position to cache our credentials on disk so they can be used by the AWS CLI or eksctl.

You will need the AWS CLI. Installation details may be found at https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html.

In the environment in which you will be using the AWS CLI / eksctl type aws configure and fill in the access key and secret access key which you can obtain from the screen above. You are also required to add in the default AWS region you wish to use. If you are curious, your credentials are stored in ~/.aws/credentials.

Alt Text

I have pixelated my keys as a matter of good practice, but I could also have made them visible and deleted the account immediately after taking the screenshot, then recreating the user. The secret key would have been completely different.

Note that you will need to click 'show' to see the secret access key in the screen above. You are only able to do this once. You will need to request another key if you do not record what you see for use in the aws configure step. Not a big problem, see below.

Access Key / Secret Key access

IAM makes it easy to rotate keys and manage accounts. Having created your user above you can access via 'Users' in the IAM menu.

Alt Text

If we select 'EKS' we see

Alt Text

I have tabbed to 'Security Credentials' above.

Note you can make a set of credentials inactive via 'Make Inactive'. You can request a new set via 'Create Access Key'. This will again give you one time access to your secret key. It also supports key rotation.

Alt Text

Conclusion

In this article we showed you how to set up credentials for eksctl in accordance with the best practice of least privilege. In https://dev.to/aerospike/aerospike-on-eks-aws-k8s-m5b we make use of this when detailing how to set up an Aerospike cluster on EKS.

💖 💪 🙅 🚩
kentune
Ken Tune

Posted on July 27, 2020

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related