Allow machine user to access EKS

MiracleMax · May 7, 2020, 6:33pm

What would be the best approach to allow a machine-user to access ECR and EKS directly?

I want to be able to run helm commands against the EKS cluster directly from the pipeline and perform operation in different clusters depending on branch.
Ex: develop branch pipeline does the helm upgrade in staging EKS, but for master branch we use prod EKS.

Any recommendations that we should be following?

yoriy · May 12, 2020, 4:41pm

Hi @MiracleMax,

Apologies for the delay in responding here!

The approach we take in the reference architecture is to leverage the autodeploy cross account IAM role created with the cross-account-iam-roles module. The idea is to:

Grant the machine user permissions to assume these roles in the child account.
Bind an RBAC role with appropriate permissions to create resources in the kubernetes cluster to the autodeploy IAM role.
During deployment, have the CI user assume the autodeploy role for the appropriate account prior to making the calls to ECR and Kubernetes using aws-auth.

Does that make sense?

Yori

MiracleMax · May 12, 2020, 6:41pm

Thanks @yoriy for your awnser.

So far I manage to login to EKS with the machine-user. But it seems I can’t find the way to bind the IAM role to RBAC.

Error from server (Forbidden): pods is forbidden: User “allow-auto-deploy-from-other-accounts” cannot list resource “pods” in API group “” in the namespace “default”

The machine user is part of allow_auto_deploy_from_other_account_arns in iam-cross-account.
And iam-cross-account is a dependency of eks-cluster.

What could I be missing?

MiracleMax · May 12, 2020, 7:10pm

I get it now after having a deeper look into role mapping.

                - rolearn: arn:aws:iam::XXX:role/allow-auto-deploy-from-other-accounts
                  username: allow-auto-deploy-from-other-accounts
                  groups:
                 - autodeploy

Where is this autodeploy group setup? I can’t find reference to it nor see it in the EKS cluster. (kubectl get clusterrole -n kube-system)

yoriy · May 13, 2020, 1:59am

If you are using our reference architecture, then it is still using helm 2 where there is a server component (aka Tiller) that does all the work. In this model, the idea is that the autodeploy RBAC group gets access to each Tiller that is used for deployments. This is done through the variable grant_autodeploy_access in k8s-namespace-with-tiller, which will bind the minimal permissions necessary to allow running kubergrunt helm grant and talk to Tiller for that namespace. We don’t bind any other permissions to the RBAC group.

If you are using helm 3 or wish to directly talk to kubernetes API using the autodeploy role, then you need to bind additional permissions to the autodeploy RBAC group, bind an alternative RBAC group. This can be done using any method that creates RoleBinding and ClusterRoleBinding resources: kubernetes manifest file, helm, or terraform kubernetes provider.

Hope this makes sense!

Yori

Topic		Replies	Views
Third Party Developer Access Gruntwork Customers	1	599	January 23, 2018
Problems switching between AWS accounts and using IAM roles Gruntwork Customers iam , multi-account	1	756	December 21, 2017
Eks-core-services module failing \| Pinging tiller! Gruntwork Customers terragrunt , eks , tiller , helm , eks-core-services	5	825	March 9, 2020
AWS (Multi-account setup): Access remote states from another account Gruntwork Customers	4	1409	January 11, 2018
Should I create an IAM user in production env to operate resources in mgmt vpc Gruntwork Customers	3	495	April 6, 2020

Allow machine user to access EKS

Related topics