Search code examples

kubectl error You must be logged in to the server (Unauthorized) when accessing EKS cluster

I have been trying to follow the getting started guide to EKS. When I tried to call kubectl get service I got the message: error: You must be logged in to the server (Unauthorized) Here is what I did:
1. Created the EKS cluster.
2. Created the config file as follows:

apiVersion: v1
- cluster:
    server: https://*********
    certificate-authority-data: *********
  name: *********
- context:
    cluster: *********
    user: aws
  name: aws
current-context: aws
kind: Config
preferences: {}
- name: aws
      command: heptio-authenticator-aws
        - "token"
        - "-i"
        - "*********"
        - "-r"
        - "arn:aws:iam::*****:role/******"
  1. Downloaded and installed latest aws cli
  2. Ran aws configure and set the credentials for my IAM user and the region as us-west-2
  3. Added a policy to the IAM user for sts:AssumeRole for the EKS role and set it up as a trusted relationship
  4. Setup kubectl to use the config file

I can get a token when I run heptio-authenticator-aws token -r arn:aws:iam::**********:role/********* -i my-cluster-ame However when I try to access the cluster I keep receiving error: You must be logged in to the server (Unauthorized)

Any idea how to fix this issue?


  • When an Amazon EKS cluster is created, the IAM entity (user or role) that creates the cluster is added to the Kubernetes RBAC authorization table as the administrator. Initially, only that IAM user can make calls to the Kubernetes API server using kubectl.


    So to add access to other aws users, first you must edit ConfigMap to add an IAM user or role to an Amazon EKS cluster.

    You can edit the ConfigMap file by executing: kubectl edit -n kube-system configmap/aws-auth, after which you will be granted with editor with which you map new users.

    apiVersion: v1
      mapRoles: |
        - rolearn: arn:aws:iam::555555555555:role/devel-worker-nodes-NodeInstanceRole-74RF4UBDUKL6
          username: system:node:{{EC2PrivateDNSName}}
            - system:bootstrappers
            - system:nodes
      mapUsers: |
        - userarn: arn:aws:iam::111122223333:user/ops-user
          username: ops-user
            - system:masters
      mapAccounts: |
        - "111122223333"

    Pay close attention to the mapUsers where you're adding ops-user together with mapAccounts label which maps the AWS user account with a username on Kubernetes cluster.

    However, no permissions are provided in RBAC by this action alone; you must still create role bindings in your cluster to provide these entities permissions.

    As the amazon documentation(iam-docs) states you need to create a role binding on the kubernetes cluster for the user specified in the ConfigMap. You can do that by executing following command (kub-docs):

    kubectl create clusterrolebinding ops-user-cluster-admin-binding --clusterrole=cluster-admin --user=ops-user

    which grants the cluster-admin ClusterRole to a user named ops-user across the entire cluster.