Adding Other Members
Add members to your team and give them access to your cluster
Create an AWS user
If you haven’t already, create an AWS user for your team member. You can either create a IAM user or an Identity Center user.
IAM users are specific to one AWS account and have long-term credentials like passwords and access keys, making them suitable for applications needing consistent access. In contrast, Identity Center users can access multiple AWS accounts and applications using temporary credentials through single sign-on (SSO), which is more secure and easier to manage for human users needing access to various resources.
Follow this blog to add an Identity Center User: https://docs.aws.amazon.com/singlesignon/latest/userguide/addusers.html.
And this one to add an IAM User: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html
Steps for your team member
-
Install AWS CLI: You can follow these instructions to install AWS CLI https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
-
Configure AWS: Run the
aws configure
and enter yourACCESS_KEY_ID
,SECRET_ACCESS_KEY
,SESSION_TOKEN
(only for Identity Center User) andREGION
values as you are prompted. You can also directly modify your~/.aws/credentials
file. Read more about configuring your AWS CLI here https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html
3. Get the command for getting access to the cluster: Run the command tensorkube get-permissions-command
. This will output an eksctl
command that the cluster owner must run in order to give you access to the tensorkube cluster.
- Sync with the cluster: Once the cluster owner has run the output command in step 3, run the
tensorkube sync
command to sync your local machine to use the cluster.
While giving access to Identity Center Users, this flow sometimes might not work. In that case, please run the following commands using the latest version of awscli
.
Giving Access to Identity Center Users
To give access to Identity Center Users, run the following commands
Here, the ROLE_ARN is the ARN of the role your Identity Center User assumes. So if your federated user is AWSReservedSSO_AdministratorAccess_12345abc/user
, you can search
for the role AWSReservedSSO_AdministratorAccess_12345abc
in the IAM console and get their ARN from there.
The ARN will look something like: arn:aws:iam::123456789:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AdministratorAccess_12345abc
And that’s it! You have successfully added a team member to your Tensorkube cluster. 🚀