Unfortunately AWS IAM does not support giving a role or user access to the EKS clusters from the parent account, so a config change has to be added to each cluster. This guide will step you through setting up a clusterrole with the appropriate access, binding it to a Kubernetes group, and connecting it to an AWS role for access using AWS IAM.

In this guide we use eksctl to apply changes to the aws-auth config map, you can do this directly as well if you don't have eksutil installed. See Enabling IAM user and role access to your cluster for more information about modifying aws-auth

1. Create a read-only cluster role

First we will create a new read-only cluster role and bind it to a group called hava-ro, which we will use later.

The below yaml manifest will set up the role and the binding, download it and apply it to your kubernetes cluster using kubectl

kubectl apply -f <file name>

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
  name: hava-ro
rules:
  - apiGroups:
      - ""
    resources: ["*"]
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources: ["*"]
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - apps
    resources: ["*"]
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - networking.k8s.io
    resources: ["*"]
    verbs:
      - get
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: hava-ro
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: hava-ro
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: hava-ro

2. Update cluster auth configuration

Next we will use eksctl to update the aws-auth config map to allow your role used for cross account access to the cluster.

Make sure you are logged in to an AWS user that has access to the cluster, and run the following command.

eksctl create iamidentitymapping --cluster <cluster name> --region=<region name> --arn <cross account role arn> --group hava-ro --username hava-ro

Replace:

<cluster name> with the name of the cluster you are updating

<cross account role arn> is the ARN of the role you provide to Hava to import your data

<region name> with the name of the cluster

3. Trigger sync on your source

Last thing to do is to trigger the synchronization for the source in the hava UI, to import your Kubernetes information and draw a container diagram for your EKS cluster