{"id":48609,"date":"2025-02-26T04:55:42","date_gmt":"2025-02-26T04:55:42","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=48609"},"modified":"2026-02-21T07:26:20","modified_gmt":"2026-02-21T07:26:20","slug":"aws-tutorials-how-to-manually-grant-your-federated-iam-user-access-to-kubectl-in-aws-eks","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/aws-tutorials-how-to-manually-grant-your-federated-iam-user-access-to-kubectl-in-aws-eks\/","title":{"rendered":"AWS Tutorials: How to manually grant your Federated IAM User access to kubectl in AWS EKS?"},"content":{"rendered":"\n<p>Thanks for pointing that out! The AWS EKS authentication method has <strong>changed in 2026<\/strong>, and the <code>aws-auth<\/code> ConfigMap is <strong>no longer used<\/strong> for adding IAM roles. Instead, <strong>IAM Access entries<\/strong> are managed under the <strong>Access<\/strong> tab in the AWS Console.<\/p>\n\n\n\n<p>Here are the <strong>updated steps<\/strong> to manually grant your <strong>Federated IAM User<\/strong> access to <code>kubectl<\/code> in AWS EKS.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"423\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/02\/image-8-1024x423.png\" alt=\"\" class=\"wp-image-48610\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/02\/image-8-1024x423.png 1024w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/02\/image-8-300x124.png 300w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/02\/image-8-768x317.png 768w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/02\/image-8-1536x634.png 1536w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/02\/image-8-2048x845.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\u2705 Step 1: Identify Your Federated IAM Role<\/strong><\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Go to AWS Console \u2192 IAM \u2192 Roles<\/strong><\/li>\n\n\n\n<li>Find the <strong>IAM Role<\/strong> associated with your Federated User (SSO\/Federated Access).<\/li>\n\n\n\n<li><strong>Copy the Role ARN<\/strong>, which looks like: <code>arn:aws:iam::329599659644:role\/&lt;Federated-Role-Name&gt;<\/code><\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"421\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/02\/image-9-1024x421.png\" alt=\"\" class=\"wp-image-48611\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/02\/image-9-1024x421.png 1024w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/02\/image-9-300x123.png 300w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/02\/image-9-768x316.png 768w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/02\/image-9-1536x631.png 1536w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/02\/image-9-2048x842.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\u2705 Step 2: Add the Federated IAM Role in EKS &#8220;Access&#8221; Tab<\/strong><\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Go to AWS Console \u2192 EKS \u2192 Your Cluster (<code>evp-dev-eks<\/code>)<\/strong><\/li>\n\n\n\n<li>Click the <strong>Access<\/strong> tab.<\/li>\n\n\n\n<li>Click <strong>&#8220;Add IAM access entry&#8221;<\/strong>.<\/li>\n\n\n\n<li>Select <strong>IAM Role<\/strong>.<\/li>\n\n\n\n<li>Paste your <strong>Federated Role ARN<\/strong> (<code>arn:aws:iam::329599659644:role\/&lt;Federated-Role-Name&gt;<\/code>).<\/li>\n\n\n\n<li>Assign a <strong>Cluster Role<\/strong>:\n<ul class=\"wp-block-list\">\n<li>Choose <strong>Administrator Access<\/strong> (<strong>Full <code>kubectl<\/code> permissions<\/strong>) \u2192 <code>system:masters<\/code><\/li>\n\n\n\n<li>Alternatively, choose <strong>Read-Only Access<\/strong> (<code>View-Only<\/code> role).<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Click <strong>&#8220;Save Changes&#8221;<\/strong>.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\u2705 Step 3: Attach Required IAM Policies to the Federated Role<\/strong><\/h2>\n\n\n\n<p>Your Federated IAM Role <strong>must<\/strong> have the following policies:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Attach Policies to Your Role<\/strong><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>AWS Console \u2192 IAM \u2192 Roles \u2192 <code>&lt;Federated-Role-Name&gt;<\/code><\/strong><\/li>\n\n\n\n<li>Click <strong>Permissions \u2192 Attach Policies<\/strong><\/li>\n\n\n\n<li>Add the following policies:\n<ul class=\"wp-block-list\">\n<li>\u2705 <code>AmazonEKSClusterPolicy<\/code><\/li>\n\n\n\n<li>\u2705 <code>AmazonEKSWorkerNodePolicy<\/code><\/li>\n\n\n\n<li>\u2705 <code>AmazonEKSServicePolicy<\/code><\/li>\n\n\n\n<li>\u2705 <code>eks:AccessKubernetesApi<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Click <strong>Attach Policy<\/strong>.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\u2705 Step 4: Update <code>kubeconfig<\/code> for Federated User<\/strong><\/h2>\n\n\n\n<p>Once IAM access is set, update your local <code>kubeconfig<\/code> to reflect the changes:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-1\" data-shcb-language-name=\"HTML, XML\" data-shcb-language-slug=\"xml\"><span><code class=\"hljs language-xml\">aws eks update-kubeconfig --name evp-dev-eks --region ap-northeast-1 --role-arn arn:aws:iam::329599659644:role\/<span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">Federated-Role-Name<\/span>&gt;<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-1\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTML, XML<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">xml<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>Then test access:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-2\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">kubectl <span class=\"hljs-keyword\">get<\/span> nodes\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-2\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\u2705 Step 5: Verify Access<\/strong><\/h2>\n\n\n\n<p>If <code>kubectl get nodes<\/code> <strong>still fails<\/strong>, check:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-3\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">kubectl auth can-i <span class=\"hljs-keyword\">list<\/span> nodes --all-namespaces --verbose\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-3\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<ul class=\"wp-block-list\">\n<li>If <strong>&#8220;yes&#8221;<\/strong>, you have access.<\/li>\n\n\n\n<li>If <strong>&#8220;no&#8221;<\/strong>, IAM role or permissions need adjustment.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h3 class=\"wp-block-heading\"><strong>\ud83c\udfaf Summary of AWS 2026 EKS Changes<\/strong><\/h3>\n\n\n\n<p>\u2705 The <strong>aws-auth ConfigMap<\/strong> is no longer used.<br>\u2705 IAM roles\/users are now added via <strong>EKS &#8220;Access&#8221; Tab<\/strong>.<br>\u2705 Federated users need <strong>IAM role-based access via IAM access entries<\/strong>.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Thanks for pointing that out! The AWS EKS authentication method has changed in 2026, and the aws-auth ConfigMap is no longer used for adding IAM roles. Instead, IAM Access entries&#8230; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[2],"tags":[],"class_list":["post-48609","post","type-post","status-publish","format-standard","hentry","category-uncategorised"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/48609","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=48609"}],"version-history":[{"count":2,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/48609\/revisions"}],"predecessor-version":[{"id":58907,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/48609\/revisions\/58907"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=48609"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=48609"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=48609"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}