# AWS CLI instalado y configurado
aws --version
aws configure list
# kubectl instalado
kubectl version --client
# Permisos IAM adecuados
aws sts get-caller-identity{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:*",
"iam:GetRole",
"iam:ListRoles",
"iam:PassRole"
],
"Resource": "*"
}
]
}# Descargar el binario
curl -o aws-iam-authenticator https://amazon-eks.s3.us-west-2.amazonaws.com/1.21.2/2021-07-05/bin/linux/amd64/aws-iam-authenticator
# Dar permisos de ejecución
chmod +x ./aws-iam-authenticator
# Mover al PATH
sudo mv aws-iam-authenticator /usr/local/bin/
# Verificar instalación
aws-iam-authenticator version# Usando Homebrew
brew install aws-iam-authenticator
# Verificar instalación
aws-iam-authenticator version# Descargar el ejecutable
Invoke-WebRequest -Uri https://amazon-eks.s3.us-west-2.amazonaws.com/1.21.2/2021-07-05/bin/windows/amd64/aws-iam-authenticator.exe -OutFile aws-iam-authenticator.exe
# Mover a una ubicación en el PATH
Move-Item .\aws-iam-authenticator.exe C:\Windows\System32\# ~/.kube/config
apiVersion: v1
kind: Config
clusters:
- cluster:
server: <endpoint-cluster>
certificate-authority-data: <ca-data>
name: kubernetes
users:
- name: aws
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
command: aws-iam-authenticator
args:
- token
- --cluster-id
- <cluster-name>
- --region
- <region>
contexts:
- context:
cluster: kubernetes
user: aws
name: aws
current-context: aws{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<account>:oidc-provider/<oidc-provider>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"<oidc-provider>:sub": "system:serviceaccount:kube-system:aws-node"
}
}
}
]
}# Actualizar kubeconfig para EKS
aws eks update-kubeconfig \
--name cluster-name \
--region region-name
# Verificar conexión
kubectl get nodes# aws-auth-cm.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- rolearn: arn:aws:iam::account:role/role-name
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
mapUsers: |
- userarn: arn:aws:iam::account:user/user-name
username: admin
groups:
- system:masters# role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: user1
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:DescribeCluster"
],
"Resource": "arn:aws:eks:region:account:cluster/*"
}
]
}# Rotar credenciales regularmente
aws iam create-access-key
aws iam delete-access-key
# Usar roles en lugar de usuarios
aws iam create-role
# Implementar el principio de mínimo privilegio
aws iam attach-role-policy# Verificar configuración actual
aws-iam-authenticator verify
# Revisar logs
kubectl logs -n kube-system deployment/aws-iam-authenticator
# Auditar accesos
aws cloudtrail lookup-events# Error de autenticación
aws-iam-authenticator token -i cluster-name --token-only
# Verificar configuración
kubectl config view
# Probar conexión
kubectl auth can-i get pods# Verificar roles
aws iam list-roles | grep eks
# Verificar mapeo de usuarios
kubectl get configmap aws-auth -n kube-system -o yaml
# Verificar permisos
aws sts get-caller-identity#!/bin/bash
# validate-auth.sh
echo "Verificando configuración de aws-iam-authenticator..."
# Verificar instalación
if ! command -v aws-iam-authenticator &> /dev/null; then
echo "aws-iam-authenticator no está instalado"
exit 1
fi
# Verificar credenciales AWS
if ! aws sts get-caller-identity &> /dev/null; then
echo "Credenciales AWS no configuradas"
exit 1
fi
# Verificar conexión al cluster
if ! kubectl get nodes &> /dev/null; then
echo "No se puede conectar al cluster"
exit 1
fi
echo "Configuración correcta"#!/bin/bash
# setup-auth.sh
CLUSTER_NAME=$1
REGION=$2
if [ -z "$CLUSTER_NAME" ] || [ -z "$REGION" ]; then
echo "Uso: $0 <cluster-name> <region>"
exit 1
fi
# Actualizar kubeconfig
aws eks update-kubeconfig \
--name $CLUSTER_NAME \
--region $REGION
# Verificar configuración
kubectl config current-context# .github/workflows/deploy.yml
name: Deploy to EKS
on:
push:
branches: [ main ]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- name: Install aws-iam-authenticator
run: |
curl -o aws-iam-authenticator https://amazon-eks.s3.us-west-2.amazonaws.com/1.21.2/2021-07-05/bin/linux/amd64/aws-iam-authenticator
chmod +x ./aws-iam-authenticator
sudo mv aws-iam-authenticator /usr/local/bin/
- name: Deploy to EKS
run: |
aws eks update-kubeconfig --name cluster-name --region us-east-1
kubectl apply -f k8s/# Generar token de autenticación
aws-iam-authenticator token -i cluster-name
# Verificar versión
aws-iam-authenticator version
# Verificar configuración
aws-iam-authenticator verify -i cluster-name
# Listar clusters disponibles
aws eks list-clusters
# Verificar acceso a recursos
kubectl auth can-i list pods --namespace defaultEsta guía proporciona una base sólida para trabajar con AWS IAM Authenticator. Recuerda mantener actualizadas las herramientas y seguir las mejores prácticas de seguridad de AWS.