Containers-roadmap: [EKS] Clarify "Getting Started" kubeconfig documentation for those who use STS/assumed roles and profiles

When you create an Amazon EKS cluster, the IAM entity user or role (for example, for federated users) that creates the cluster is automatically granted system:master permissions in the cluster's RBAC configuration. And only that IAM entity user or role will be able to access the EKS cluster. To grant additional AWS users or roles the ability to interact with your cluster, you must edit the aws-auth ConfigMap within Kubernetes.

It's nothing to do with the STS and assumed roles.

This works for me:

$ AWS_PROFILE=something aws eks update-config

Although, the "only that IAM entity user or role will be able to access the cluster" thing is really annoying. This looks nothing like any other AWS service.

@junze-amz The documentation should clarify this then. Like others have said, this does not work like other AWS-native tools and services that we are used to working with.

This is already documented here : Managing Users or IAM Roles for your Cluster - https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html

I will also add that only that IAM entity user or role will be able to access the cluster makes it really hard (and sometimes impossible) to create an EKS cluster within a CI system since only the CI user will be able to access the cluster.

w.r.t aws eks update-kubeconfig, https://github.com/aws/aws-cli/pull/3683 was merged after your issue was filed, and may handle your original issue. It allows specifying an AWS_PROFILE, specifically for my use case of assumed roles in a multi-account setting.

@mbarrien Thank you, this should be helpful!