Stuck with unauthorized server error while connecting to EKS API server? We can help you.

Here, at Bobcares, we assist our customers with several AWS queries as part of our AWS Support Services.

Today, let us see how we can resolve it.

How to resolve unauthorized server error while connecting to EKS API server?

Firstly, connect to the Amazon EKS API server, install and configure the latest version of the AWS CLI.

Then, the cluster admin must complete the steps in one of the following sections:

• You’re the cluster creator
• You’re not the cluster creator

Finally, the person who received the error must complete the steps in the You’re the user or role that received the error section.

Today, let us see the steps followed by our Support techs to resolve it.

You’re the cluster creator

1. To see the configuration of your AWS CLI user or role, run the following command:

$ aws sts get-caller-identity

The output returns the Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) user or role. For example:

{
"UserId": "XXXXXXXXXXXXXXXXXXXXX",
"Account": "XXXXXXXXXXXX",
"Arn": "arn:aws:iam::XXXXXXXXXXXX:user/testuser"
}

2. Then, confirm that the ARN matches the cluster creator.

3. Next, update or generate the kubeconfig file using one of the following commands.

As the IAM user, run the following command:

$ aws eks update-kubeconfig --name eks-cluster-name --region aws-region

Note: Replace eks-cluster-name with your cluster name. Replace aws-region with your AWS Region.

As the IAM role, run the following command:

$ aws eks update-kubeconfig --name eks-cluster-name --region aws-region --role-arn arn:aws:iam::XXXXXXXXXXXX:role/testrole

Note: Replace eks-cluster-name with your cluster name. Replace aws-region with your AWS Region.

4. To confirm that the kubeconfig file is updated, run the following command:

$ kubectl config view --minify

5. To confirm that your IAM user or role is authenticated, run the following command:

$ kubectl get svc

The output should be similar to the following:

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.100.0.1 <none> 443/TCP 77d

You’re not the cluster creator

1. To see the configuration of your AWS CLI user or role, run the following command:

$ aws sts get-caller-identity

The output returns the ARN of the IAM user or role.

2. Ask the cluster owner or admin to add your IAM user or role to aws-auth ConfigMap.

Note: You can also use AssumeRole to log in as the cluster creator if you have the correct IAM permissions.

3. To edit aws-auth ConfigMap in a text editor, the cluster owner or admin must run the following command:

$ kubectl edit configmap aws-auth -n kube-system

4. To add an IAM user or IAM role, complete either of the following steps.

Add the IAM user to mapUsers. For example:

mapUsers: |
- userarn: arn:aws:iam::XXXXXXXXXXXX:user/testuser
username: testuser
groups:
- system:masters

Add the IAM role to mapRoles. For example:

mapRoles: |
- rolearn: arn:aws:iam::XXXXXXXXXXXX:role/testrole
username: testrole
groups:
- system:masters

You’re the user or role that received the error

1. To update or generate the kubeconfig file after aws-auth ConfigMap is updated, run either of the following commands.

As the IAM user, run the following command:

$ aws eks update-kubeconfig --name eks-cluster-name --region aws-region

Note: Replace eks-cluster-name with your cluster name. Replace aws-region with your AWS Region.

2. As the IAM role, run the following command:

$ aws eks update-kubeconfig --name eks-cluster-name --region aws-region --role-arn arn:aws:iam::XXXXXXXXXXXX:role/testrole

Note: Replace eks-cluster-name with your cluster name. Replace aws-region with your AWS Region.

3. To confirm that the kubeconfig file is updated, run the following command:

$ kubectl config view --minify

4. To confirm that your IAM user or role is authenticated, run the following command:

$ kubectl get svc

You should see output similar to the following:

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.100.0.1 <none> 443/TCP 77d

[Need help with more AWS queries? We’d be happy to assist]

Conclusion

In short, today we discussed the steps followed by our Support Engineers  to resolve Unauthorized server error while connecting to EKS API server.