August 4, 2022

Allowing IAM users to access AWS EKS using kubectl

For any managed service on AWS, the more you rely on IAM for authentication and authorization, the more you reduce your attack surface. In this article, we will see how we can create users of various permission levels in an AWS EKS cluster and map the user to an AWS IAM user.

Table of Contents

Introduction

Accessing AWS EKS using an IAM User

     AWS IAM user that created the cluster

     For any other arbitrary IAM user

Conclusion

Introduction

AWS makes it really easy to start a new Kubernetes cluster where you can deploy your apps while AWS takes care of managing the underlying infrastructure. Like any other managed Kubernetes on the Internet, access to the cluster is determined by the cluster itself. Most cloud providers create a bridge sort of functionality that is used to work with the IAM of the cloud. 

It is interesting to note, both from security and functionality perspective, that the user who created the EKS cluster, regardless of what IAM permissions they have in AWS, will be a cluster administrator. In a future post, we will see how this could lead to a potential scenario where a user with only EKS cluster create permissions, could use the IAM role attached to the cluster to escalate their privileges in order to become an administrator in AWS.

Accessing AWS EKS using an IAM User

There are two scenarios that we need to work with - 

  1. Creating Kubernetes cluster access for an AWS IAM user that created the cluster
  2. Creating Kubernetes cluster access for any other arbitrary AWS IAM user regardless of their privileges within AWS

AWS IAM user that created the cluster

If a user who created the cluster wishes to run kubectl commands then a kubeconfig can be generated using the following command. The IAM user that created the kubernetes cluster, regardless of their IAM privileges, are assigned `system:masters` (admin) privileges in the cluster.

Generating credentials to access the cluster for this user is very straightforward. Here are the steps

  1. Run `aws eks update-kubeconfig --name test-cluster` to generate credentials and add them to `~/.kube/config`

Run `aws eks update-kubeconfig --name test-cluster` to generate credentials and add them to `~/.kube/config`
  1. Run `kubectl get svc` to confirm credentials were generated and are working as intended.

If you have kubectl’s plugin manager, krew, installed (highly recommended), then you can install the access-matrix and whoami plugins to quickly get RBAC information in an easily readable format.

kubectl auth can-i --list

kubectl auth can-i --list

kubectl whoami --all

kubectl whoami --all

As you can see from the output of kubectl whoami --all, the user that created the cluster is automatically added to the system:masters group.

For any other arbitrary IAM user

To create a Kubernetes user and map that user to an AWS IAM user, we will need `eksctl` to fetch IAM and EKS Identity Mapping.

Here are the step by step instructions to do this:

  1. Run these commands as a cluster-admin
  2. In the cluster, create a new ClusterRoleBinding and ClusterRole to allow ReadAccess (`get`, `watch` and `list`) to the cluster. Save the following yaml text to yaml files as named below and apply them to the cluster.


clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
 name: read-cluster-global
subjects:
- kind: Group
 name: reader
 apiGroup: rbac.authorization.k8s.io
roleRef:
 kind: ClusterRole
 name: cluster-reader
 apiGroup: rbac.authorization.k8s.io

clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
 name: cluster-reader
rules:
  - apiGroups: 
      - "*"
    resources:
      - "*"
    verbs:
      - get
      - watch
      - list

  1. Apply these using `kubectl apply -f filename.yaml` for each yaml file
  2. Verify if the clusterrolebinding was created using `kubectl get clusterrolebindings`. An entry for `read-cluster-global` should be present. This group name could be anything you choose.

Verify if the clusterrolebinding was created using `kubectl get clusterrolebindings`

  1. Obtain the ARN of the IAM user that needs to be added to EKS from AWS IAM console
  2. Run `eksctl create iamidentitymapping --cluster <cluster-name> --region=region-code  --arn "IAM-ARN" --group <group-name> --no-duplicate-arns

Run `eksctl create iamidentitymapping --cluster <cluster-name> --region=region-code  --arn "IAM-ARN" --group <group-name> --no-duplicate-arns‍

  1. Run `eksctl get iamidentitymapping --cluster <cluster-name>` to get a list of AWS IAM user mapping to group in the cluster.

Run `eksctl get iamidentitymapping --cluster <cluster-name>` to get a list of AWS IAM user mapping to group in the cluster.‍

  1. Switch to the IAM user that needs access to the cluster and regenerate the kubeconfig using - `aws eks update-kubeconfig --name <cluster-name>`
  2. Running `kubectl auth can-i --list` should show that you now have ReadAccess to the cluster using the IAM user.

Running `kubectl auth can-i --list` should show that you now have ReadAccess to the cluster using the IAM user.

Conclusion

When administering a managed Kubernetes cluster, it is important to map the RBAC capabilities of the cluster to that of IAM users that are restricted and controlled. This ensures there is separation between the cluster RBAC roles and IAM user permissions and auto assigned administrators do not become the single point of access failure. Additionally, you can use the yaml files shown in this article to create other user roles and provide even more restricted access based on who the IAM user is.

***

This article is brought to you by Kloudle Academy, a free e-resource compilation, created and curated by Kloudle. Kloudle is a cloud security management platform that uses the power of automation and simplifies human requirements in cloud security. Receive alerts for Academy by subscribing here.

Written by:
Riyaz Walikar

Riyaz Walikar

Chief Hacker

Riyaz is a security evangelist, offensive security expert and researcher with over a decade of experience in the cyber security industry. His passion to break into some of the most well defended networks and systems in his career spanning 15 years has earned him a lot respect within the security industry. He has led Security Assessment and Penetration Testing teams at Pricewaterhouse Coopers (PwC) and Appsecco, and the Product Security Team at Citrix before co-founding Kloudle. Riyaz now specializes in cloud native, container and cloud security in general, helping build an easy to use security management platform to help companies enhance their visibility in the cloud, identify security misconfigurations and automate remediation for security gaps enabling compliance and operational security in multi-cloud environments. He is also an avid speaker and trainer and presents his research and findings at security conferences and community meetups around the world including BlackHat USA, BH Europe, BH Asia, nullcon and OWASP AppsecUSA.Specialties: Cloud (AWS, GCP, Azure, IBM, Others) Security, Cloud-Native Security, Kubernetes, Container Security, Web Application Security, Network and System Penetration Testing, Wireless Network Security, Malware Analysis and Reverse Engineering, Threat Modelling, Windows Forensics, Security Code Review, Vulnerability Research, Exploit Development and Reverse Engineering. Certifications: CKA, CKAD, OSCP

Read more