Search code examples
amazon-web-serviceskuberneteskubectlamazon-eks

kubectl needs credentials: You must be logged in to the server

When I run the command kubectl get svc from the tutorial I'm following.

I get: error: You must be logged in to the server (the server has asked for the client to provide credentials).

When I look at my ~/.kube/config file all looks good. The user there is the exact same one that I used to create the cluster in the first place.

So I see two options:

  1. The user has no IAM policy that allows it to run kubectl get svc which is very probably because all my problems are from IAM
  2. It has something to do with the IAM principle.

So my questions are, what IAM prolicies do I need to run kubectl get svc or alternatively, how do I add an IAM principle to the EKS cluster? The doc is using kubectl to add the IAM principle to the cluster which... that's a loop with no end in sight

Solution

  • So the problem is that the user in the aws CLI is an IAM user but the user creating the cluster in the AWS web UI is the root user as per instructions:

    enter image description here

    Therefore what you need to do is, instead of doing this in your web console UI, you need to create the cluster using your aws cli:

    aws eks create-cluster --region region-code --name my-cluster --kubernetes-version 1.27 \
   --role-arn arn:aws:iam::111122223333:role/myAmazonEKSClusterRole \
   --resources-vpc-config subnetIds=subnet-ExampleID1,subnet-ExampleID2,securityGroupIds=sg-ExampleID1

    You need to substitute the subnet IDs and security groups to the ones you created in the previous steps in the original tutorial.

    Also, you will need to give the aws cli user/group a few additional permissions like pass role and a few others too...

    P.S. I do not understand why in the AWS introduction tutorial there is a such a monumental error regarding the RBAC permissions of kubernetes: it's a fact When you create an Amazon EKS cluster, the IAM principal that creates the cluster is automatically granted system:masters permissions in the cluster's role-based access control (RBAC) configuration in the Amazon EKS control plane. This principal doesn't appear in any visible configuration, so make sure to keep track of which principal originally created the cluster. It's a really crazy error on the part of the person creating the tutorial.

    Also, here is a guide on how to add additional IAM users to the EKS cluster so that they too can use kubectl and access your cluster.