Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

how to authenticate to eks cluster using the eks-kubectl-run pipe

martinyung
martinyung
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
January 18, 2020

pipe version: aws-eks-kubectl-run:1.1.1

My Bitbucket Pipeline

- pipe: atlassian/aws-eks-kubectl-run:1.1.1
  variables:
    AWS_ACCESS_KEY_ID: $AWS_ACCESS_KEY_ID
    AWS_SECRET_ACCESS_KEY: $AWS_SECRET_ACCESS_KEY
    AWS_DEFAULT_REGION: $REGION
    CLUSTER_NAME: $CLUSTER_NAME
    KUBECTL_COMMAND: 'set image deployment/app-frontend app-frontend=$IMAGE_NAME'

Error Message:
Added new context arn:aws:eks:[region]:[aws_id]:cluster/[cluster_name] to /root/.kube/config
Successfully updated the kube config.
error: You must be logged in to the server (Unauthorized)
kubectl set image deployment/app-frontend app-frontend=IMAGE_NAME failed.

can anyone please guide me on how to authenticate using this pipe? as the documentation doesn't say much aside from filling in those required variables.

Thanks 

Answer
Watch
Like # people like this
2837 views

2 answers

1 accepted

2 votes
Answer accepted
martinyung
martinyung
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
January 18, 2020

after much research finally found the solution. Apparently in AWS EKS, by default only the cluster creator IAM can interact with the eks cluster through kubectl.

From AWS EKS Documentation

When you create an Amazon EKS cluster, the IAM entity user or role, such as a federated user that creates the cluster, is automatically granted system:masters permissions in the cluster's RBAC configuration. To grant additional AWS users or roles the ability to interact with your cluster, you must edit the aws-auth ConfigMap within Kubernetes.

AWS EKS Documentation: Managing Users or IAM Roles for your Cluster 

View More Comments
Alexander Zhukov
Alexander Zhukov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 19, 2020

Hi @martinyung , thanks for taking time to share your findings. We will update the docs with more information, including this caveat. 

Like # people like this
Rob Jahn
Rob Jahn
Atlassian Partner
April 10, 2020

I had the same issue running on version atlassian/aws-eks-kubectl-run:1.2.1.  By just edited the config map (kubectl edit -n kube-system configmap/aws-auth) and adding the user I configured in my pipeline fixed it.  Thank you @martinyung this saved alot time!  @Alexander Zhukov if you update the docs, please add to the docs what AWS permissions are required for the AWS user.

Like martinyung likes this
Reply
1 vote
soupdiver
soupdiver
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
September 10, 2020

It seems you can also set `ROLE_ARN` as a variable for the pipe. But to find this I had to  look at the source code....

View More Comments
opicarellieldorado
opicarellieldorado
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
December 2, 2020

Perfect!!! Code here 

1. Configure role:

TRUST="{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Allow\", \"Principal\": { \"AWS\": \"arn:aws:iam::${ACCOUNT_ID}:root\" }, \"Action\": \"sts:AssumeRole\" } ] }"
echo '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "eks:Describe*", "Resource": "*" } ] }' > /tmp/iam-role-policy
aws iam create-role --role-name EksCodeBuildKubectlRole --assume-role-policy-document "$TRUST" --output text --query 'Role.Arn'
aws iam put-role-policy --role-name EksCodeBuildKubectlRole --policy-name eks-describe --policy-document file:///tmp/iam-role-policy

 

2. Configure AWS-AUTH

ROLE="    - rolearn: arn:aws:iam::${ACCOUNT_ID}:role/EksCodeBuildKubectlRole\n      username: build\n      groups:\n        - system:masters"
kubectl get -n kube-system configmap/aws-auth -o yaml | awk "/mapRoles: \|/{print;print \"$ROLE\";next}1" > /tmp/aws-auth-patch.yml
kubectl patch configmap/aws-auth -n kube-system --patch "$(cat /tmp/aws-auth-patch.yml)"

 
3. Add repository environment ROLE_ARN

4. Add ROLE_ARN=$ROLE_ARN in bitbucket-pipeline.yml


Please attlasian forum, complement the doc with this helpful script

Like Diógenes Castro likes this
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.