Kuberentes provider for eks returns unauthorized

3,016 views
Skip to first unread message

Neil Watson

unread,
Oct 2, 2018, 2:06:38 PM10/2/18
to Terraform
I'm trying to provision a working EKS cluster. I've got the AWS resources up with Terraform, but can't get Terraform to provision the kubernetes configuration.  I have this. All the references to the remote state return the correct values.

provider "aws" {}

terraform {
   backend "s3" {
      # Maintained by ansible in ./state/
      bucket = "example-terraform-eks-gir01"
      key    = "k8s"
      region = "us-east-1"
   }
}

# Remote backend for EKS
   data "terraform_remote_state" "eks" {
   backend = "s3"
   config = {
      bucket = "example-terraform-eks-gir01"
      key    = "eks"
      region = "us-east-1"
   }
}

provider "kubernetes" {
   host = "${data.terraform_remote_state.eks.cluster_endpoint}"
   token = "${data.external.aws_iam_authenticator.result.token}"
   load_config_file = false
   cluster_ca_certificate
      = "${base64decode(data.terraform_remote_state.eks.cluster_cert.0.data)}"
}

data "external" "aws_iam_authenticator" {
   program = ["${path.module}/get_token.sh", "cluster"
      , "${data.terraform_remote_state.eks.cluster_name}"]
}

resource "kubernetes_config_map" "aws_auth" {
   metadata {
      name = "aws-auth"
      namespace = "kube-system"
   }
   data {
        "mapRoles" = <<MAPROLES
          - rolearn: ${data.terraform_remote_state.eks.node_iam_role}
            username: system:node:{{EC2PrivateDNSName}}
            groups:
              - system:bootstrappers
              - system:nodes
MAPROLES
   }
}

resource "kubernetes_service_account" "tiller" {
   depends_on = [ "kubernetes_config_map.aws_auth" ]
   metadata {
      name = "tiller"
      namespace = "kube-system"
   }
}


Here's the external authentication helper. Run by hand the output looks good.


#!/bin/sh

set -e

eval "$(jq -r '@sh "cluster=\(.cluster)"')"

token=$(aws-iam-authenticator token -i $cluster |jq -r '.status.token')

jq -n --arg token "$token" '{"token":$token}'


When I run terraform apply:


Error: Error applying plan:

1 error(s) occurred:

* kubernetes_config_map.aws_auth: 1 error(s) occurred:

* kubernetes_config_map.aws_auth: Unauthorized

What have I done wrong?

Rafael Salem Gazze

unread,
Oct 2, 2018, 2:26:23 PM10/2/18
to terrafo...@googlegroups.com
@Neil

If you do kubectl get svc you return anything?

In my case, i'm creating the cluster eks with ROLE and by default who creates the cluster has access in the beginning.

Check if you have access in kubectl. 

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/ffe6288d-7ba9-4d1e-9649-bcf0bd11844f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


--
Att,
Rafael
M: (11) 9 4028-7934
M: (11) 9 7627-5554

Neil Watson

unread,
Oct 2, 2018, 2:31:16 PM10/2/18
to Terraform
I'm using the same aws user to provision EKS and the policy in this post. Plus I am getting a token from aws-iam-authenticator.

Mark Lehmann

unread,
Dec 10, 2018, 4:29:29 AM12/10/18
to Terraform
Hi Folks

Just checking to make sure that the IAM user you are using has the appropriate access as per the following page as a reference: https://docs.aws.amazon.com/eks/latest/userguide/service_IAM_role.html

Best,

Mark
Reply all
Reply to author
Forward
0 new messages