This is a hot-patch for the Amazon EKS Workshop to cover leverage the recently announced Cluster Access Management API, that superseed the old method based on an integration between IAM and a in-cluster Kubernetes ConfigMap.
- Let's create an IAM User, that will be used for exercising the EKS access management.
aws iam create-user --user-name lab-user
- To use it within our lab, let's also create an IAM Access Secrets for that IAM User.
aws iam create-access-key --user-name lab-user | tee lab-user-key.txt
- Then, let's create an AWS CLI profile that uses this IAM Principal. Use the information given from the last command (
AccessKeyId
andSecretAccessKey
) to answer the questions. If you don't have the output in the screen, check a file named aslab-user-key.txt
at your current work directory.
aws configure --profile lab-user
- Explore the Cluster Management API using the EKS Console, and test the different levels of access using the following commands.
4.1. To enable the lab-user
profile, issue:
export AWS_PROFILE=lab-user
4.1. To disable the lab-user
profile, issue:
unset AWS_PROFILE
- The
kubectl
command will dinamicaly pull the necessary credentials using the AWS CLI. In our lab, the default AWS credential has administrative access, while we can use the new profile with more restrictives permissions.
This is a hot-patch for the Amazon EKS Workshop to cover leverage the recently announced Amazon CloudWatch Observability Add-on for Amazon EKS instead of the AWS Distribution of OpenTelemetry (ADOT) for collecting metrics/logs/traces. This will provide compatibility with the Container Insights with Enhanced Observability feature.
In order to ensure the CW Observability Add-on has the proper permissions to communicate with the AWS APIs, we will use an IAM Role mapped to a specific Kubernetes Service Account using IRSA.
- First we need to ensure the EKS cluster has the IAM OIDC Provider associated.
eksctl utils associate-iam-oidc-provider --cluster eks-workshop --approve
- Then, we will use
eksctl
to create the IAM Role with proper permissions and trust policy.
eksctl create iamserviceaccount \
--name cloudwatch-agent \
--namespace amazon-cloudwatch --cluster eks-workshop \
--role-name eks-workshop-cw-observability \
--attach-policy-arn arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy \
--role-only \
--approve
- Enable the EKS Add-on with the IAM Role previously created.
aws eks create-addon \
--addon-name amazon-cloudwatch-observability \
--cluster-name eks-workshop \
--service-account-role-arn arn:aws:iam::$AWS_ACCOUNT_ID:role/eks-workshop-cw-observability
- Navigate to Amazon CloudWatch Container Insights console, and explore the metrics and logs collected.