1. Answers
  2. How to add a user to aws-auth config map in Kubernetes?

How to add a user to aws-auth config map in Kubernetes?

Instructions

To add a user to the aws-auth ConfigMap in Kubernetes using Pulumi in TypeScript, we will follow these steps:

  1. Setup Pulumi Project: Initialize a new Pulumi project and set up the necessary AWS and Kubernetes providers.
  2. Retrieve the aws-auth ConfigMap: Use the Kubernetes provider to get the existing aws-auth ConfigMap from the kube-system namespace.
  3. Modify the ConfigMap: Add the new user to the mapUsers section of the ConfigMap’s data.
  4. Apply the Changes: Update the ConfigMap with the modified data.
  5. Deploy the Changes: Use Pulumi to deploy the changes to the Kubernetes cluster.

Key services involved in this solution include:

  • Pulumi: For managing infrastructure as code.
  • AWS: The cloud provider where the Kubernetes cluster is running.
  • Kubernetes: The container orchestration platform where the aws-auth ConfigMap is managed.

Let’s proceed with the detailed steps and code implementation.

Code Example

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as k8s from "@pulumi/kubernetes";

// Create an EKS cluster
const cluster = new aws.eks.Cluster("my-cluster", {
    roleArn: "arn:aws:iam::123456789012:role/EKSClusterRole",
    vpcConfig: {
        subnetIds: ["subnet-12345678", "subnet-87654321"],
    },
});

// Create a Kubernetes provider
const k8sProvider = new k8s.Provider("k8sProvider", {
    kubeconfig: pulumi.all([cluster.endpoint, cluster.certificateAuthority, cluster.name]).apply(([endpoint, cert, name]) =>
        `{
            "apiVersion": "v1",
            "clusters": [{
                "cluster": {
                    "server": "${endpoint}",
                    "certificate-authority-data": "${cert.data}"
                },
                "name": "${name}"
            }],
            "contexts": [{
                "context": {
                    "cluster": "${name}",
                    "user": "aws"
                },
                "name": "${name}"
            }],
            "current-context": "${name}",
            "kind": "Config",
            "users": [{
                "name": "aws",
                "user": {
                    "exec": {
                        "apiVersion": "client.authentication.k8s.io/v1alpha1",
                        "command": "aws-iam-authenticator",
                        "args": ["token", "-i", "${name}"],
                        "env": [{"name": "AWS_PROFILE", "value": "default"}]
                    }
                }
            }]
        }`
    ),
});

// Retrieve the existing aws-auth ConfigMap
const awsAuthConfigMap = pulumi.output(k8s.core.v1.ConfigMap.get("awsAuthConfigMap", "kube-system/aws-auth", { provider: k8sProvider }));

// Define the new user to be added
const newUser = {
    "mapUsers": JSON.stringify([{
        "userarn": "arn:aws:iam::123456789012:user/new-user",
        "username": "new-user",
        "groups": ["system:masters"]
    }])
};

// Update the ConfigMap with the new user
awsAuthConfigMap.apply(configMap => {
    const updatedData = {
        ...configMap.data,
        ...newUser,
    };

    new k8s.core.v1.ConfigMap("updatedAwsAuthConfigMap", {
        metadata: configMap.metadata,
        data: updatedData,
    }, { provider: k8sProvider });
});

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up