Enabling cross-account access from an EC2 Instance to an Amazon EKS cluster
--
Scenario
Let’s assume that we have multiple AWS accounts — source and target accounts and we want to manage the Kubernetes resources from an EC2 Instance in the source account.
Prerequisites
- Source AWS account
- Target AWS account
- EC2 Instance
- Kubectl utility installed on the EC2 instance
- EKS Cluster
Solution
- In your source account, create an IAM role named source-account-iam-role with an IAM policy that allows AssumeRole permissions to target the account’s IAM role.
{
"Version":"2012-10-17",
"Statement":{
"Effect":"Allow",
"Action":"sts:AssumeRole",
"Resource":"arn:aws:iam::TARGET_ACCOUNT_ID:role/target-account-iam-role"
}
}2. Attach the IAM role created in step 1 to the EC2 Instance in the source account
3. Create an IAM role in the target account, target-account-iam-role, with a trust relationship to source account’s IAM role for the action sts:AssumeRole.
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::SOURCE_ACCOUNT_ID:role/source-account-iam-role"
},
"Action":"sts:AssumeRole"
}
]
}4. Configuring target account’s Amazon EKS cluster — Modify the aws-auth configmap and add the Role under mapRoles to allow Kubernetes cluster access from the EC2 Instance IAM role (source-account-iam-role)
command: kubectl edit configmaps aws-auth -n kube-system
mapRoles: |
. . .
— groups:
— system:masters
rolearn: arn:aws:iam::SOURCE_ACCOUNT:role/source-account-iam-role
username: source-account-iam-role5. Check access to Kubernetes from the source account EC2 Instance
kubectl get nodes
Summary
In this blog, I walked you through the steps to enable cross-account access between your source account and the target account. This type of solution is implemented typically in environments where you need to manage the Kubernetes cluster from a shared environment.
If you have any questions, please feel free to connect with me on LinkedIn
If you find this article helpful please feel free to clap!
Cheers!!
