AWS Credentials for EKS
Ken Tune
Posted on July 27, 2020
What you need to know before you can create AWS Kubernetes clusters using the command line
eksctl is the AWS command line utility allowing you to administer (e.g. setup/teardown) your AWS Kubernetes cluster. This article details how you configure the credentials you need to use the service. This article is useful as this is not detailed on the eksctl website and is non-trivial.
IAM Overview
Credentials in AWS are managed using IAM - AWS Identity and Access Management. Broadly speaking, you create policies which are granular aggregations of permissions on AWS objects. You associate these with groups to which you add users. If a user has been created for programmatic access use, the user will have an access key id and a secret access key which can be stored on disk for use in conjunction with the AWS command line interface. The same mechanism is used by eksctl.
In this article we set up the eksctl account in accordance with the principle of 'least privilege' - the account should have sufficient privileges to execute actions as needed, but no more.
Below we go through the steps in the above process in detail.
IAM Policy Setup
The eksctl website does not detail the set of IAM privileges needed to run eksctl, and trial and error is not recommended. Guidance can be found in issue 204 below however.
As this is still somewhat complicated (and incomplete) I'm going to make use of this, but simplify the process for you.
First of all pull down https://github.com/aerospike-examples/kubernetes-aws.
bash
git clone https://github.com/aerospike-examples/kubernetes-aws
cd kubernetes-aws
The policy you need is in eks.iam.policy.template. Some permissions however are account specific - you will see this if you look for the text account-id in eks.iam.policy.template - this needs replacing with your own account id.
Find your account id by logging into the AWS console. Select 'My Account'
You will see your account id in the next screen. Copy this.
From the kubernetes-aws project you just cloned, run
bash
./make-policy.sh YOUR_ACCOUNT_ID
The result will be saved as eks.iam.policy.
Copy the contents of eks.iam.policy to the clipboard.
Select the IAM Service in the AWS console (Services->IAM) and click 'Policies'
Next 'Create Policy'. Select 'JSON' rather than 'Visual Editor', remove the JSON you see and replace with the contents of eks.iam.policy. Your screen should look like
Now click 'Review Policy'. Give your policy a name e.g. EKS.
Finally click 'Create Policy', bottom right of the above screen.
IAM Group Setup
In this section we create an IAM group and add the EKS policy to it.
Select 'Groups', from the left hand IAM menu.
Click 'Create New Group'. Give your group a name e.g. EKS.
Click 'Next Step'. Search for the policy you created and select.
Click 'Next Step', followed by 'Create Group'. You should see your new group, EKS, appear in the group listing screen.
Create IAM User
Now we create a user and associate with the EKS group. Select 'Users' from the left hand side menu above.
Click 'Add User'. Give your user a name e.g. EKS and check the 'programmatic access' access type.
Click 'Next: Permissions'. 'Add User To Group' will be selected by default. Check the 'EKS' group.
Click 'Next:Tags' followed by 'Next:Review' and finally 'Create User'. You will see the screen below.
Keep this screen in your browser - you will need it for the steps below.
AWS CLI Credential Setup
We are now in a position to cache our credentials on disk so they can be used by the AWS CLI or eksctl.
You will need the AWS CLI. Installation details may be found at https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html.
In the environment in which you will be using the AWS CLI / eksctl type aws configure and fill in the access key and secret access key which you can obtain from the screen above. You are also required to add in the default AWS region you wish to use. If you are curious, your credentials are stored in ~/.aws/credentials.
I have pixelated my keys as a matter of good practice, but I could also have made them visible and deleted the account immediately after taking the screenshot, then recreating the user. The secret key would have been completely different.
Note that you will need to click 'show' to see the secret access key in the screen above. You are only able to do this once. You will need to request another key if you do not record what you see for use in the aws configure step. Not a big problem, see below.
Access Key / Secret Key access
IAM makes it easy to rotate keys and manage accounts. Having created your user above you can access via 'Users' in the IAM menu.
If we select 'EKS' we see
I have tabbed to 'Security Credentials' above.
Note you can make a set of credentials inactive via 'Make Inactive'. You can request a new set via 'Create Access Key'. This will again give you one time access to your secret key. It also supports key rotation.
Conclusion
In this article we showed you how to set up credentials for eksctl in accordance with the best practice of least privilege. In https://dev.to/aerospike/aerospike-on-eks-aws-k8s-m5b we make use of this when detailing how to set up an Aerospike cluster on EKS.
Posted on July 27, 2020
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.