On This Page

The following guide is to explain what happens during the configuration of the devcontainer workspace. If you would like to configure access to the cluster outside of the workspace, you can follow the guide below. It’s not needed if you’re using from inside the workspace.

Installing aws-iam-authenticator

First, we’ll need to install the aws-iam-authenticator helper locally:

https://docs.aws.amazon.com/eks/latest/userguide/install-aws-iam-authenticator.html

Authenticating

Next, we need to add to the context our users. Assuming you have a ~/.aws/credentials similar to this:

[admin]
aws_access_key_id = AKIAUICYRSPXYVKFYTZC
aws_secret_access_key = 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
[developer]
aws_access_key_id = AKIAUICYRSPXXSSGCQHP
aws_secret_access_key = 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

If you don’t have any configured user in the ~/.aws/credentials, you can create one by using the command:

aws configure --profile new-user

The general process to add a context with aws-iam-authenticator is to first create a user with aws-iam-authenticator in the kubeconfig file, then add a context that references this user. Here’s how to add a user:

kubectl config set-credentials admin --exec-api-version=client.authentication.k8s.io/v1beta1 \
  --exec-command=aws-iam-authenticator \
  --exec-arg=token \
  --exec-arg=-i \
  --exec-arg=eu-north-1.training.dx-book.com \
  --exec-arg=-r \
  --exec-arg=arn:aws:iam::292243477487:role/KubernetesAdmin \
  --exec-env=AWS_PROFILE=admin

In this command:

  • admin is the name of the user
  • eu-north-1.training.dx-book.com is the cluster ID
  • env admin is the user profile from the ~/.aws/credentials

After adding the user, you can add a context:

kubectl config set-context admin --cluster=eu-north-1.training.dx-book.com --user=admin

Now let’s do the same for a developer user:

kubectl config set-credentials developer --exec-api-version=client.authentication.k8s.io/v1beta1 \
  --exec-command=aws-iam-authenticator \
  --exec-arg=token \
  --exec-arg=-i \
  --exec-arg=eu-north-1.training.dx-book.com \
  --exec-arg=-r \
  --exec-arg=arn:aws:iam::292243477487:role/Developer \
  --exec-env=AWS_PROFILE=developer

And also the context:

kubectl config set-context developer --cluster=eu-north-1.training.dx-book.com --user=developer

Let’s switch contexts, to the developer role and run some investigations:

kubectl config use-context developer

Check to see if I can do everything in my current namespace ("*" means all)

kubectl auth can-i '*' '*'
kubectl auth can-i create pods --all-namespaces
kubectl auth can-i list deployments.extensions