1. Get the AWS IAM Configmap

aws eks get-token --cluster-name my-cluster *** API Server sends this token to AWS IAM aws sts get-caller-identity kubectl get all --all-namespaces kubectl edit -n kube-system configmap/aws-auth kubectl get configmap -n kube-system aws-auth -o yaml > aws.auth.yaml kubectl get configmap -n kube-system aws-auth -o yaml | grep -v "creationTimestamp\|resourceVersion\|selfLink\|uid" | sed '/^ annotations:/,+2 d' > aws-auth.yaml

2. Add a new IAM User to the aws-auth.yaml

kubectl edit cm -n kube-system aws-auth

cat << EoF >> aws-auth.yaml
data:
  mapUsers: |
    - userarn: arn:aws:iam::209537963104:user/nexus-k8s
      username: nexus-k8s
EoF

3. Update the configmap on the K8s

kubectl apply -f aws-auth.yaml

4. Create a Role

cat << EoF > developer-role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: read-only
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["*"]
  verbs: ["list","get","watch"]
EoF

cat << EoF > admin-role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: coderecipes-admin
rules:
- apiGroups: ["*"] # "" indicates the core API group
  resources: ["*"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["extensions","apps"]
  resources: ["*"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
EoF

5. Create a Role Binding

cat << EoF > rbacuser-role-binding.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: full-access
  namespace: default
subjects:
- kind: User
  name: user1
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: read-only
  apiGroup: rbac.authorization.k8s.io
EoF

6. Apply Role and Role Binding

kubectl apply -f developer-role.yaml kubectl apply -f rbacuser-role-binding.yaml