# EKS Cluster Access Management This is a hot-patch for the Amazon EKS Workshop to cover leverage the recently announced Cluster Access Management API, that superseed the old method based on an integration between IAM and a in-cluster Kubernetes ConfigMap. ## Steps to execute 1. Let's create an IAM User, that will be used for exercising the EKS access management. ```bash aws iam create-user --user-name lab-user ``` 2. To use it within our lab, let's also create an IAM Access Secrets for that IAM User. ```bash aws iam create-access-key --user-name lab-user | tee lab-user-key.txt ``` 3. Then, let's create an AWS CLI profile that uses this IAM Principal. Use the information given from the last command (`AccessKeyId` and `SecretAccessKey`) to answer the questions. If you don't have the output in the screen, check a file named as `lab-user-key.txt` at your current work directory. ```bash aws configure --profile lab-user ``` 4. Explore the Cluster Management API using the EKS Console, and test the different levels of access using the following commands. 4.1. To enable the `lab-user` profile, issue: ```bash export AWS_PROFILE=lab-user ``` 4.1. To disable the `lab-user` profile, issue: ```bash unset AWS_PROFILE ``` 5. The `kubectl` command will dinamicaly pull the necessary credentials using the AWS CLI. In our lab, the default AWS credential has administrative access, while we can use the new profile with more restrictives permissions. # Observability with CW Observability Add-on This is a hot-patch for the Amazon EKS Workshop to cover leverage the recently announced Amazon CloudWatch Observability Add-on for Amazon EKS instead of the AWS Distribution of OpenTelemetry (ADOT) for collecting metrics/logs/traces. This will provide compatibility with the Container Insights with Enhanced Observability feature. ## Steps to execute In order to ensure the CW Observability Add-on has the proper permissions to communicate with the AWS APIs, we will use an IAM Role mapped to a specific Kubernetes Service Account using IRSA. 1. First we need to ensure the EKS cluster has the IAM OIDC Provider associated. ```bash eksctl utils associate-iam-oidc-provider --cluster eks-workshop --approve ``` 2. Then, we will use `eksctl` to create the IAM Role with proper permissions and trust policy. ```bash eksctl create iamserviceaccount \ --name cloudwatch-agent \ --namespace amazon-cloudwatch --cluster eks-workshop \ --role-name eks-workshop-cw-observability \ --attach-policy-arn arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy \ --role-only \ --approve ``` 3. Enable the EKS Add-on with the IAM Role previously created. ```bash aws eks create-addon \ --addon-name amazon-cloudwatch-observability \ --cluster-name eks-workshop \ --service-account-role-arn arn:aws:iam::$AWS_ACCOUNT_ID:role/eks-workshop-cw-observability ``` 4. Navigate to Amazon CloudWatch Container Insights console, and explore the metrics and logs collected.