How to Add Limited Access IAM Users to an EKS Cluster: Complete Guide
By Braincuber Team
Published on April 13, 2026
Elastic Kubernetes Service (EKS) is the fully managed Kubernetes service from AWS. It is deeply integrated with AWS services such as IAM for authentication, CloudWatch for logging, Auto Scaling Groups for scaling worker nodes, and VPC for networking. This complete tutorial shows you how to add limited access IAM users to your EKS cluster with proper Kubernetes RBAC configuration.
What You'll Learn:
- How EKS authentication works with IAM
- Step by step guide to creating an IAM user in AWS Console
- Beginner guide to configuring AWS CLI with new user credentials
- How to create Kubernetes Role with limited permissions
- Complete tutorial on creating RoleBinding for the user
- How to add the user to aws-auth ConfigMap
- Testing permissions with kubectl auth can-i
Understanding EKS Authentication
EKS uses IAM to provide authentication to your Kubernetes cluster (via the aws eks get-token command or the AWS IAM Authenticator for Kubernetes). For authorization, it relies on native Kubernetes Role Based Access Control (RBAC). This two-layer security model allows you to leverage AWS IAM for authentication while using Kubernetes RBAC for fine-grained permissions.
IAM for Authentication
AWS Identity and Access Management handles cluster access authentication using the aws eks get-token command or IAM Authenticator.
Kubernetes RBAC
Native Kubernetes Role Based Access Control manages authorization through Roles, ClusterRoles, and RoleBindings.
Step by Step Guide: Creating an IAM User
Create IAM User in AWS Console
Beginner guide to creating an IAM user. Go to AWS Console and navigate to IAM service under "Security, Identity and Compliance". Click on Users tab and then "Add User".
Enable Programmatic Access
Step by step guide to enabling programmatic access. Click on the "Programmatic access" checkbox to enable AWS CLI access. You do not need any particular permission for accessing EKS.
After the user is created, you will receive the Access Key ID and Secret Access Key. These credentials are required for configuring the AWS CLI in the next step.
Configuring AWS CLI
Configure the AWS CLI with the new user's credentials using the aws configure --profile command. This step by step guide shows how to set up a named profile for the EKS user.
$ aws configure --profile eks-user
AWS Access Key ID [None]: AKIAI44QH8DHBEXAMPLE
AWS Secret Access Key [None]: je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
Default region name [None]: us-east-1
Default output format [None]: text
Verify the user is properly configured by running the aws sts get-caller-identity command with the profile:
$ aws sts get-caller-identity --profile eks-user
{
"UserId": "AIDAX7JPBEM4A6FTJRTMB",
"Account": "123456789012",
"Arn": "arn:aws:iam::123456789012:user/eks-user"
}
Creating Kubernetes Role and RoleBinding
Now create a Kubernetes Role with limited permissions. This step by step guide shows how to create a role that only allows listing pods.
Create Kubernetes Role
Beginner guide to creating a Role. Create a file named role.yaml with the following content to define a role with list permission to pods.
kind: Role
metadata:
name: eks-user-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list"]
Apply the Role to your Kubernetes cluster:
$ kubectl apply -f role.yaml
Create RoleBinding
Step by step guide to creating a RoleBinding that connects the IAM user to the Role. Create role-binding.yaml:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: eks-user-role-binding
subjects:
- kind: User
name: eks-user
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: eks-user-role
apiGroup: rbac.authorization.k8s.io
Apply RoleBinding
Remember to apply the RoleBinding: kubectl apply -f role-binding.yaml
Adding User to aws-auth ConfigMap
To grant the IAM user access to your EKS cluster, you must add them to the aws-auth ConfigMap in the kube-system namespace.
Edit aws-auth ConfigMap
Beginner guide to editing the aws-auth ConfigMap. Use kubectl edit or export and modify the configmap:
$ kubectl edit configmap aws-auth -n kube-system
Add the user under mapUsers in the aws-auth ConfigMap:
data:
mapUsers: |
- userarn: arn:aws:iam::123456789012:user/eks-user
username: eks-user
groups:
- eks-role
Testing User Permissions
Test if the user can access the cluster using the --as flag to impersonate the user:
$ kubectl get pods --as eks-user
Using kubectl auth can-i
Use kubectl auth can-i to check if the user has permission to access specific resources. This is a great way to test permissions without making actual changes.
| Command | Description |
|---|---|
| kubectl auth can-i get pods | Check if user can get pods |
| kubectl auth can-i "*" "*" | Check if user has cluster-admin |
| kubectl auth can-i get pods --as eks-user | Check permissions for specific user |
Configuring Extended Permissions
In real-world scenarios, you will need to provide broader permissions. Here is a complete example of a Role with access to events, pods, deployments, configmaps, and secrets:
rules:
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods", "pods/log", "pods/exec"]
verbs: ["list", "get", "create", "update", "delete"]
- apiGroups: ["extensions", "apps"]
resources: ["deployments"]
verbs: ["list", "get", "create", "update", "delete"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["list", "get", "create", "update", "delete"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["list", "get", "create", "update", "delete"]
Frequently Asked Questions
What is the difference between Role and ClusterRole?
Role is namespace-scoped while ClusterRole is cluster-scoped. Use Role for namespace-specific permissions and ClusterRole for resources across all namespaces.
How do I grant admin access to an EKS user?
Create a ClusterRoleBinding with the user mapped to the cluster-admin ClusterRole. This gives full cluster-wide access.
Why can't the user access the cluster after configuration?
Ensure the user is added to aws-auth ConfigMap, the Role/RoleBinding is applied, and the AWS CLI profile is correctly configured with access keys.
Can IAM roles be used instead of IAM users?
Yes, you can add IAM roles to aws-auth ConfigMap under mapRoles. This is common for granting access to EC2 instances or Lambda functions.
How do I revoke EKS access for a user?
Remove the user from the aws-auth ConfigMap mapUsers section and delete the corresponding RoleBinding. The user will no longer be able to access the cluster.
Need Help with EKS Configuration?
Setting up IAM users with proper Kubernetes RBAC permissions requires careful configuration. Our experts can help you set up secure access controls for your EKS cluster.