Enabling cross-account access from an EC2 Instance to an Amazon EKS cluster
Let’s assume that we have multiple AWS accounts — source and target accounts and we want to manage the Kubernetes resources from an EC2 Instance in the source account.
- Source AWS account
- Target AWS account
- EC2 Instance
- Kubectl utility installed on the EC2 instance
- EKS Cluster
- In your source account, create an IAM role named source-account-iam-role with an IAM policy that allows AssumeRole permissions to target the account’s IAM role.
2. Attach the IAM role created in step 1 to the EC2 Instance in the source account
3. Create an IAM role in the target account, target-account-iam-role, with a trust relationship to source account’s IAM role for the action sts:AssumeRole.
4. Configuring target account’s Amazon EKS cluster — Modify the aws-auth configmap and add the Role under mapRoles to allow Kubernetes cluster access from the EC2 Instance IAM role (source-account-iam-role)
command: kubectl edit configmaps aws-auth -n kube-system
. . .
5. Check access to Kubernetes from the source account EC2 Instance
kubectl get nodes
In this blog, I walked you through the steps to enable cross-account access between your source account and the target account. This type of solution is implemented typically in environments where you need to manage the Kubernetes cluster from a shared environment.
If you have any questions, please feel free to connect with me on LinkedIn
If you find this article helpful please feel free to clap!