Question 214312 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – kubectl needs credentials: You must be logged in to the server

When I run the command kubectl get svc from the tutorial I’m following.

I get: error: You must be logged in to the server (the server has asked for the client to provide credentials).

When I look at my ~/.kube/config file all looks good. The user there is the exact same one that I used to create the cluster in the first place.

So I see two options:

  1. The user has no IAM policy that allows it to run kubectl get svc which is very probably because all my problems are from IAM
  2. It has something to do with the IAM principle.

So my questions are, what IAM prolicies do I need to run kubectl get svc or alternatively, how do I add an IAM principle to the EKS cluster? The doc is using kubectl to add the IAM principle to the cluster which… that’s a loop with no end in sight

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    So the problem is that the user in the aws CLI is an IAM user but the user creating the cluster in the AWS web UI is the root user as per instructions:

    enter image description here

    Therefore what you need to do, is instead of doing this in your web console UI, you need to create the cluster using your aws cli:

    aws eks create-cluster --region region-code --name my-cluster --kubernetes-version 1.27 
   --role-arn arn:aws:iam::111122223333:role/myAmazonEKSClusterRole 
   --resources-vpc-config subnetIds=subnet-ExampleID1,subnet-ExampleID2,securityGroupIds=sg-ExampleID1

    You need to substitute the subnet IDs and security groups to the ones you created in the previous steps in the original tutorial.

    Also, you will need to give the aws cli user/group a few additional permissions like pass role and a few others too...

    P.S. I do not understand why in the AWS introduction tutorial there is a such a monumental error regarding the RBAC permissions of kubernetes: it's a fact that if you create the EKS cluster in the web, the CLI user wont be able to use it. It's a really crazy error on the part of the person creating the tutorial.

    Also, here is a guide on how to add additional IAM users to the EKS cluster so that they too can use kubectl and access your cluster.


  2. 0

    Here are some troubleshooting steps which you can try to fix the error:

    1. Check if the credentials or certificates are expired.

    Try running

    $ gcloud container clusters get-credentials [cluster-name]

    While renewing kubernetes certificates, replace the values client-certificate-data and client-key-data in file ~/.kube/config with the values from the updated file in /etc/kubernetes/kubelet.conf of the same name.

    1. The authentication is related to one of the pods which is using a service account that has issues like invalid token.

    2. When an EKS cluster is created, the user (or role) that creates the cluster is automatically granted with the system:master permissions in the cluster’s RBAC configuration. Other users or roles that need the ability to interact with your cluster, it needs to be added explicitly. Refer to the link here for the related info.

    You can also refer to this github link for additional information.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search