fix(pmm): use EKS Access Entries API for cluster access

nogueiraanderson · nogueiraanderson · commit 4d0bdaa7c59f · 2025-11-28T12:14:06.000+01:00
Replace eksctl iamidentitymapping (ConfigMap-based) with EKS Access
Entries API for more reliable user access to pmm-ha-eks clusters.

Changes:
- Add new 'Configure Cluster Access' stage using AWS EKS API
- Dynamically query pmm-eks-admins IAM group for user list
- Add SSO AdministratorAccess role for SSO users
- Simplify kubeconfig command (no --role-arn required)

This fixes AccessDeniedException errors when users try to access
clusters, as Access Entries grant both Kubernetes API and implicit
eks:DescribeCluster permissions.
diff --git a/pmm/v3/pmm3-ha-eks.groovy b/pmm/v3/pmm3-ha-eks.groovy
@@ -98,14 +98,63 @@ EOF
                 withCredentials([aws(credentialsId: 'pmm-staging-slave')]) {
                     sh '''
                         eksctl create cluster -f cluster-config.yaml --timeout=40m --verbose=4
+                    '''
+                }
+            }
+        }
+
+        stage('Configure Cluster Access') {
+            steps {
+                withCredentials([aws(credentialsId: 'pmm-staging-slave')]) {
+                    sh '''
+                        # Add EKSAdminRole with cluster admin access
+                        aws eks create-access-entry \
+                            --cluster-name "${CLUSTER_NAME}" \
+                            --region "${REGION}" \
+                            --principal-arn arn:aws:iam::119175775298:role/EKSAdminRole
+
+                        aws eks associate-access-policy \
+                            --cluster-name "${CLUSTER_NAME}" \
+                            --region "${REGION}" \
+                            --principal-arn arn:aws:iam::119175775298:role/EKSAdminRole \
+                            --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy \
+                            --access-scope type=cluster
+
+                        # Add pmm-eks-admins group members dynamically
+                        # To manage access, add/remove users from the pmm-eks-admins IAM group:
+                        # https://us-east-1.console.aws.amazon.com/iam/home#/groups/details/pmm-eks-admins
+                        # CLI: aws iam add-user-to-group --group-name pmm-eks-admins --user-name <username>
+                        USERS=$(aws iam get-group --group-name pmm-eks-admins --query 'Users[].Arn' --output text)
+                        for USER_ARN in $USERS; do
+                            echo "Adding access for ${USER_ARN}..."
+                            aws eks create-access-entry \
+                                --cluster-name "${CLUSTER_NAME}" \
+                                --region "${REGION}" \
+                                --principal-arn "${USER_ARN}" || true
 
-                        # Map EKSAdminRole for IAM users
-                        eksctl create iamidentitymapping \
-                            --cluster "${CLUSTER_NAME}" \
+                            aws eks associate-access-policy \
+                                --cluster-name "${CLUSTER_NAME}" \
+                                --region "${REGION}" \
+                                --principal-arn "${USER_ARN}" \
+                                --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy \
+                                --access-scope type=cluster || true
+                        done
+
+                        # Add SSO AdministratorAccess role
+                        aws eks create-access-entry \
+                            --cluster-name "${CLUSTER_NAME}" \
+                            --region "${REGION}" \
+                            --principal-arn "arn:aws:iam::119175775298:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AdministratorAccess_5922b1e9e802dfa5" || true
+
+                        aws eks associate-access-policy \
+                            --cluster-name "${CLUSTER_NAME}" \
                             --region "${REGION}" \
-                            --arn arn:aws:iam::119175775298:role/EKSAdminRole \
-                            --username eks-admin \
-                            --group system:masters
+                            --principal-arn "arn:aws:iam::119175775298:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AdministratorAccess_5922b1e9e802dfa5" \
+                            --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy \
+                            --access-scope type=cluster || true
+
+                        echo "Access entries configured:"
+                        aws eks list-access-entries --cluster-name "${CLUSTER_NAME}" --region "${REGION}"
                     '''
                 }
             }
@@ -197,7 +246,7 @@ EOF
                         echo ""
 
                         echo "To access this cluster, run:"
-                        echo "aws eks update-kubeconfig --name ${CLUSTER_NAME} --region ${REGION} --role-arn arn:aws:iam::119175775298:role/EKSAdminRole"
+                        echo "aws eks update-kubeconfig --name ${CLUSTER_NAME} --region ${REGION}"
                     '''
                 }
             }
