chore(eks): improve eks doc for console access (#25606)

pahud · web-flow · commit 3baffd80921a · 2023-07-26T23:10:52.000Z
Improve the EKS doc in terms of the console access. Closes #18843 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/aws-cdk-lib/aws-eks/README.md b/packages/aws-cdk-lib/aws-eks/README.md
@@ -928,6 +928,74 @@ declare const role: iam.Role;
 cluster.awsAuth.addMastersRole(role);
 ```
 
+To access the Kubernetes resources from the console, make sure your viewing principal is defined
+in the `aws-auth` ConfigMap. Some options to consider:
+
+```ts
+import { KubectlV27Layer } from '@aws-cdk/lambda-layer-kubectl-v27';
+declare const cluster: eks.Cluster;
+declare const your_current_role: iam.Role;
+declare const vpc: ec2.Vpc;
+
+// Option 1: Add your current assumed IAM role to system:masters. Make sure to add relevant policies.
+cluster.awsAuth.addMastersRole(your_current_role);
+
+your_current_role.addToPolicy(new iam.PolicyStatement({
+  actions: [
+    'eks:AccessKubernetesApi',
+    'eks:Describe*',
+    'eks:List*',
+],
+  resources: [ cluster.clusterArn ],
+}));
+```
+
+```ts
+// Option 2: create your custom mastersRole with scoped assumeBy arn as the Cluster prop. Switch to this role from the AWS console.
+import { KubectlV27Layer } from '@aws-cdk/lambda-layer-kubectl-v27';
+declare const vpc: ec2.Vpc;
+
+const mastersRole = new iam.Role(this, 'MastersRole', {
+  assumedBy: new iam.ArnPrincipal('arn_for_trusted_principal'),
+});
+
+const cluster = new eks.Cluster(this, 'EksCluster', {
+  vpc,
+  version: eks.KubernetesVersion.V1_27,
+  kubectlLayer: new KubectlV27Layer(this, 'KubectlLayer'),
+  mastersRole,
+});
+
+mastersRole.addToPolicy(new iam.PolicyStatement({
+  actions: [
+    'eks:AccessKubernetesApi',
+    'eks:Describe*',
+    'eks:List*',
+],
+  resources: [ cluster.clusterArn ],
+}));
+```
+
+```ts
+// Option 3: Create a new role that allows the account root principal to assume. Add this role in the `system:masters` and witch to this role from the AWS console.
+declare const cluster: eks.Cluster;
+
+const consoleReadOnlyRole = new iam.Role(this, 'ConsoleReadOnlyRole', {
+  assumedBy: new iam.ArnPrincipal('arn_for_trusted_principal'),
+});
+consoleReadOnlyRole.addToPolicy(new iam.PolicyStatement({
+  actions: [
+    'eks:AccessKubernetesApi',
+    'eks:Describe*',
+    'eks:List*',
+],
+  resources: [ cluster.clusterArn ],
+}));
+
+// Add this role to system:masters RBAC group
+cluster.awsAuth.addMastersRole(consoleReadOnlyRole)
+```
+
 ### Cluster Security Group
 
 When you create an Amazon EKS cluster, a [cluster security group](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html)
