How can I grant eks cluster permission to aws sso user?

Question

I deployed a EKS cluster via a IAM user and need to give full cluster permission to other aws sso users. I followed this instruction https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html but still can't make it work.

I got below error when run this command by a sso user:

$ kubectl get pods
error: You must be logged in to the server (Unauthorized)

In the doc they say to create aws-auth ConfigMap to map the role as below. But I am not sure what the role arn I should specify. I am using EKS + Fargate so there is no node group or node instance in my cluster. So what kind of role should I specify in below configuration>

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - rolearn: <ARN of instance role (not instance profile)>
      username: system:node:{{EC2PrivateDNSName}}
      groups:
        - system:bootstrappers
        - system:nodes

Answer 1

There is a great article explaining your scenario

https://medium.com/swlh/secure-an-amazon-eks-cluster-with-iam-rbac-b78be0cd95c9

Answer 2

You should specify:

- rolearn: arn:aws:iam::<aws account id>:role/<federated user>
  username: {{SessionName}}
  groups:
    - system:masters

Please note that "< aws account id >" is the ID of the AWS account in which the EKS cluster is created, and "< federated user >" is the SSO user with which you are accessing this account. This policy will add admin access rights to your k8s cluster. You can obtain the "< federated user >" by logging into an account with that user and in the upper right corner do expand and you will see Federated user. Copy it, and it will look something like this AWSReservedSSO_AdministratorAccess_9999bb9bbbbfff/administrator. Take just the first part before the forward slash.