Open
Description
Currently, if you install the CLI on a new machine and use different AWS credentials (with the AdministratorAccess IAM policy attached), running cortex cluster commands will not work. We link to a cortex docs page with instructions on how to address this (implemented in #1392):
error: your aws iam user does not have access to this cluster; to grant access, see https://docs.cortex.dev/v/master/miscellaneous/security#running-cortex-cluster-commands-from-different-iam-users
It would be better if it just works out of the box (assuming that the new IAM user also has the AdministratorAccess IAM policy).
Relevant info:
- https://eksctl.io/usage/iam-identity-mappings/
- https://www.cloudjourney.io/articles/publiccloud/managing_eks_access-bs/
- https://aws.amazon.com/premiumsupport/knowledge-center/amazon-eks-cluster-access/
- https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html
- https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-iam-policy-issues/
- https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/
- https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
Possible solution:
- Assume the role of an IAM Role that has access to the cluster. There may already be one created (there is a role visible on the EKS console titled "Cluster IAM Role ARN"), or we may have to create one and grant access to it during cluster spin up.