Actually, the problem here is that eksctl won’t work in our playground, since it requires a number of permissions that we don’t support. So you’ll need to create an EKS cluster by some other means. Please take a look at our tutorial from the CKA repo, and follow the instructions there carefully; you won’t need to do anything special with IAM to make it work.
but i am able to create eks cluster in AWS labs using terraform you gave in another posts to me and thanks for that .
but here my query is i need IAM for further practice on my eks cluster which i create but it’s not working due to IAM constraints and stopped my practice .
Hope you understand the problem now .
I do understand the problem, but due to needs to secure the labs from abuse, we can’t accommodate much access to IAM. In particular, we absolutely don’t allow privilege escalation in the labs.
So is there not any way to use IRSA/IAM Service account for my eks cluster ?
Probably not, sadly. What’s your exact use case? We’d need to ask the engineer that sets up and secures the playground; he’d need need to figure out if we can safely allow what you want to do.
there are many use cases rob like .
CSI driver integration with eks
aws secrets integration with eks
Ingress load balancer and integration of AWS LB with eks
Authenticaton/Authorization via IAM user/roles .
also many other like for CI/Cd , moniotring/logging and so on which need IAM service account , roles or IAM user for it .
Please talk with your engineer and help on this , otherwise my practice would be stuck and there’s no use of EKS with AWS other services .
I don’t want a fully fledged user for it . All i’m looking for a user which can provide my all relevant AWS services usage for EKS cluster which we used to follow in any organisation .
1 Like
Which of those require special IAM access for? Gotta ask; we’d need to know what all needs to be turned on.
I know you want these things; it’s just that in general, if it’s readily possible to do with the tools AWS gives us to set up the playground, we’re already doing them. Often the things people want in addition can’t be provisioned without opening up a lot more than you think, or can’t be torn down readily or easily at the end of a 3 hour session. Or have pricing structures that don’t lend themselves to that. This limits what we can do, unfortunately.
i need iam for almost all services which i mentioned earlier… i don’t think cost would be the problem because it’s iam only… and services which i want to integrate with my aws eks clusters are already being provided in aws labs… as i said… the main constraint here is iam limitation… due to which I’m unable to integrate different aws services with my aws eks cluster… and its interrupting my practice.
Please try to help on this… or give me an alternate atleast…
I’ll pass this to the engineer, which is what I can do for you. Based on previous discussions on the topic, I suspect that iam:AttachUserPolicy is itself problematic; there actually may NOT be a good work-around.
then what would be the ideal solution for it so that i can resume my work on it ?
Hi Rob/team ,
Did you get any update from engineer ?
He assigned it to one of his engineers and I’ve documented what you wrote in our internal system. Up to them now.
So no update till now ?
Hi Rob/team ,
Still waiting for an update .
A bit of patience… I’ve gotten a partial response, but I’ll fill you once they’ve had the opportunity to actually implement a piece of what was discussed. That will be around the middle of next week, I would expect.
Sure Rob .
Will be looking for your response .
Hi Rob ,
Please let me know if you know if you got any update .
Hi Rob ,
is there any update for the request ?
The major news is that since a number of people have asked for OIDC provider support, we’ve added these to the playground. I’m not sure exactly how to use the feature, but try it out, and if it’s unclear how to do it, I’ll get more information from the engineer.
Beyond that, here are some answers to what you asked:
Issue 1 As you’ve already mentioned in the thread, IAM Users to start with the naming patter iamuser*
→ Policies attached to also follow a similar naming convention, iampolicy*
Again the kind of policies would typically be Read-Only Access Policies
Issue 3 Combined -
Registering CSI Drivers,
Attaching IAM Roles to SAs (IRSA),
Creating other users within EKS
These have broad applications, and these permissions might not be provided to the user for security reasons
Issue 4 Specifically, it appears that the user would like another user created, and attach permissions to test out varied use-cases, something we wouldn’t typically be in favour of.
Ok if it can solve my problem then i’m happy to use OIDC as well . Please let me know how to use .