Stuck with an authorization error in Amazon EKS? We can help you.

Here, at Bobcares, we assist our customers with several AWS queries as part of our AWS Support Services.

Today, let us see how our techs resolve this error.

Authorization error in Amazon EKS

Most often, when we use the kubectl commands to connect to the Amazon EKS API server, we receive the error:

“Error: You must be logged in to the server (Unauthorized)”

Prior to connecting to the Amazon EKS API server, we need the latest version of the AWS CLI.

Now, our Support Techs recommend a few steps for the cluster-admin to complete:

• If we’re the cluster creator

1. Initially, to see the configuration of the AWS CLI user or role, we run:

$ aws sts get-caller-identity

The output will return the ARN of the AWS IAM user or role.

For example:

{
"UserId": "XXXXXXXXXXXXXXXXXXXXX",
"Account": "XXXXXXXXXXXX",
"Arn": "arn:aws:iam::XXXXXXXXXXXX:user/testuser"
}

2. We need to confirm that the ARN matches the cluster creator.

3. Then we update or generate the kubeconfig file using either of the following commands:

• As the IAM user:

$ aws eks update-kubeconfig --name eks-cluster-name --region aws-region

• As the IAM role:

$ aws eks update-kubeconfig --name eks-cluster-name --region aws-region --role-arn arn:aws:iam::XXXXXXXXXXXX:role/testrole

However, make sure to change the value to the appropriate one.

4. In addition, we need to check if the kubeconfig file is updated. For that, we run:

$ kubectl config view --minify

5. To confirm the IAM user or role authentication, we run:

$ kubectl get svc

We should receive an output similar to the following:

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.100.0.1 <none> 443/TCP 77d

• If we’re not the cluster creator

1. We can see the configuration of the AWS CLI user or role using:

$ aws sts get-caller-identity

The output will return the ARN of the IAM user or role.

2. Then we ask the cluster owner or admin to add the IAM user or role to aws-auth ConfigMap.

3. The cluster owner or admin runs the following command to edit aws-auth ConfigMap in a text editor:

$ kubectl edit configmap aws-auth -n kube-system

4. To add an IAM user or IAM role, our Support Techs recommend adding the IAM user to mapUsers.

For example:

mapUsers: |
- userarn: arn:aws:iam::XXXXXXXXXXXX:user/testuser
username: testuser
groups:
- system:masters
Add the IAM role to mapRoles. For example:

mapRoles: |
- rolearn: arn:aws:iam::XXXXXXXXXXXX:role/testrole
username: testrole
groups:
- system:masters

• If we’re the user or role to receive the error

1. To update or generate the kubeconfig file after aws-auth ConfigMap update, we run either of the following.

• As the IAM user:

$ aws eks update-kubeconfig --name eks-cluster-name --region aws-region

• As the IAM role:

$ aws eks update-kubeconfig --name eks-cluster-name --region aws-region --role-arn arn:aws:iam::XXXXXXXXXXXX:role/testrole

2. Then to confirm that the kubeconfig file is updated, we run:

$ kubectl config view --minify

3. Finally, to confirm the IAM user or role authentication, we run:

$ kubectl get svc

The output we receive will be similar to the following:

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.100.0.1 <none> 443/TCP 77d

[Need further assistance? We are here for you]

Conclusion

In short, we saw how our Support Techs go about the Authorization error in Amazon EKS.