Create an AWS user

If you haven’t already, create an AWS user for your team member. You can either create a IAM user or an Identity Center user.

IAM users are specific to one AWS account and have long-term credentials like passwords and access keys, making them suitable for applications needing consistent access. In contrast, Identity Center users can access multiple AWS accounts and applications using temporary credentials through single sign-on (SSO), which is more secure and easier to manage for human users needing access to various resources.

Follow this blog to add an Identity Center User: https://docs.aws.amazon.com/singlesignon/latest/userguide/addusers.html.

And this one to add an IAM User: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html

Steps for your team member

  1. Install AWS CLI: You can follow these instructions to install AWS CLI https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html

  2. Configure AWS: Run the aws configure and enter your ACCESS_KEY_ID, SECRET_ACCESS_KEY, SESSION_TOKEN(only for Identity Center User) and REGION values as you are prompted. You can also directly modify your ~/.aws/credentials file. Read more about configuring your AWS CLI here https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html

3. Get the command for getting access to the cluster: Run the command tensorkube get-permissions-command. This will output an eksctl command that the cluster owner must run in order to give you access to the tensorkube cluster.

  1. Sync with the cluster: Once the cluster owner has run the output command in step 3, run the tensorkube sync command to sync your local machine to use the cluster.

While giving access to Identity Center Users, this flow sometimes might not work. In that case, please run the following commands using the latest version of awscli.

Giving Access to Identity Center Users

To give access to Identity Center Users, run the following commands

aws eks create-access-entry --cluster-name tensorkube --principal-arn <ROLE_ARN> 
aws eks associate-access-policy --cluster-name tensorkube --principal-arn <ROLE_ARN> \
    --access-scope type=cluster --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy

Here, the ROLE_ARN is the ARN of the role your Identity Center User assumes. So if your federated user is AWSReservedSSO_AdministratorAccess_12345abc/user, you can search for the role AWSReservedSSO_AdministratorAccess_12345abc in the IAM console and get their ARN from there.

The ARN will look something like: arn:aws:iam::123456789:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AdministratorAccess_12345abc


And that’s it! You have successfully added a team member to your Tensorkube cluster. 🚀