AWS and Network Access
Before we take the next step, we’ll need to verify that you have access and permissions for your AWS environment and network.
Step 1: Verify AWS CLI
# Verify AWS CLI version
aws --version
# Required: v1.16.156+ or v2.0+
# Example output: aws-cli/2.13.0 Python/3.11.4 Linux/5.15.0 exe/x86_64.ubuntu.22
If version is too old, update.
Step 2: Verify AWS identity and permissions
# Check your current AWS identity
aws sts get-caller-identity
Verify:
- Account is your AWS account
- Arn matches your user or role
- UserId is present
Save your IAM ARN for later steps:
export IAM_ARN=$(aws sts get-caller-identity --query Arn --output text)
echo "export IAM_ARN='$IAM_ARN'" >> ~/.clickhouse-disconnect-env
echo "Your IAM ARN: $IAM_ARN"
Set your cluster details…
export CLUSTER_NAME="your-eks-cluster-name"
export AWS_REGION="us-east-1"
cat >> ~/.clickhouse-disconnect-env <<EOF
export CLUSTER_NAME='$CLUSTER_NAME'
export AWS_REGION='$AWS_REGION'
EOF
…or Find the cluster by tags
aws eks list-clusters --region $AWS_REGION
TAG_KEY="altinity:cloud/env"
TAG_VALUE="altinity-env-name"
CLUSTER_NAME=""
REGION=""
for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
echo "Searching in region: $region" >&2
for cluster in $(aws eks list-clusters --region $region --query 'clusters[]' --output text 2>/dev/null); do
value=$(aws eks describe-cluster --region $region --name $cluster \
--query "cluster.tags.\\"${TAG_KEY}\\"" --output text 2>/dev/null)
if [ "$value" == "$TAG_VALUE" ]; then
CLUSTER_NAME="$cluster"
REGION="$region"
break 2
fi
done
done
if [ -z "$CLUSTER_NAME" ]; then
echo "No cluster found with tag ${TAG_KEY}=${TAG_VALUE}"
exit 1
else
echo "Found cluster: $CLUSTER_NAME in region: $REGION"
cat >> ~/.clickhouse-disconnect-env <<EOF
export CLUSTER_NAME='$CLUSTER_NAME'
export AWS_REGION='$AWS_REGION'
EOF
fi
Test EKS access
aws eks describe-cluster --name $CLUSTER_NAME --region $AWS_REGION
If you see AccessDenied, request at least:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:DescribeCluster",
"eks:ListClusters",
"eks:ListAccessEntries"
],
"Resource": "*"
}
]
}
Step 3: Verify network access to the EKS API
Most Altinity BYOC EKS clusters are private-only. kubectl will only work from inside the VPC or after enabling public access.
source ~/.clickhouse-disconnect-env
Check endpoint configuration
aws eks describe-cluster --name $CLUSTER_NAME --region $AWS_REGION \
--query 'cluster.resourcesVpcConfig.{EndpointPublicAccess:endpointPublicAccess,EndpointPrivateAccess:endpointPrivateAccess}' \
--output table
Get endpoint and VPC information
export EKS_ENDPOINT=$(aws eks describe-cluster --name $CLUSTER_NAME --region $AWS_REGION \
--query 'cluster.endpoint' --output text)
echo "export EKS_ENDPOINT='$EKS_ENDPOINT'" >> ~/.clickhouse-disconnect-env
echo "EKS API Endpoint: $EKS_ENDPOINT"
export EKS_HOST=$(echo $EKS_ENDPOINT | sed 's|https://||')
echo "export EKS_HOST='$EKS_HOST'" >> ~/.clickhouse-disconnect-env
echo "EKS Hostname: $EKS_HOST"
export VPC_ID=$(aws eks describe-cluster --name $CLUSTER_NAME --region $AWS_REGION \
--query 'cluster.resourcesVpcConfig.vpcId' --output text)
echo "VPC ID: $VPC_ID"
echo "export VPC_ID='$VPC_ID'" >> ~/.clickhouse-disconnect-env
Choose a network access method
Option A: Work from inside the VPC (recommended)
- Bastion host
- Temporary EC2 instance
- Cloud9 in the VPC
- VPN into the VPC
Examples:
# Bastion host connectivity check
curl -k $EKS_ENDPOINT
# Temporary EC2 in a public
VPC_ID=<bastion-host-id>
PUBLIC_SUBNET=$(aws ec2 describe-subnets \
--filters "Name=vpc-id,Values=$VPC_ID" "Name=map-public-ip-on-launch,Values=true" \
--region $AWS_REGION \
--query 'Subnets[0].SubnetId' --output text)
# Cloud9 connectivity check
curl -k $EKS_ENDPOINT
Option B: Enable public endpoint access (only if required)
MY_IP=$(curl -s https://checkip.amazonaws.com)
# Remove publicAccessCidrs=... if you want to leave access open to the world
UPDATE_ID=$(aws eks update-cluster-config \
--name "$CLUSTER_NAME" \
--region "$AWS_REGION" \
--resources-vpc-config endpointPublicAccess=true,endpointPrivateAccess=true,publicAccessCidrs="${MY_IP}/32" \
--query 'update.id' --output text)
# Wait for the access to complete
aws eks wait update-complete \
--name "$CLUSTER_NAME" \
--region "$AWS_REGION" \
--update-id "$UPDATE_ID"
# Check connectivity
curl -k $EKS_ENDPOINT
Option C: SSH tunnel (advanced)
ssh -L 8443:$EKS_HOST:443 ec2-user@bastion-ip
Test network connectivity
timeout 5 bash -c "cat < /dev/null > /dev/tcp/${EKS_HOST}/443" && \
echo "✓ Can reach EKS endpoint" || \
echo "✗ Cannot reach EKS endpoint"
curl -k $EKS_ENDPOINT
Expected: Forbidden or Unauthorized (network works). Timeout means networking is blocked.
Step 4: Configure kubectl access
After network access is confirmed, configure cluster access based on the authentication mode.
aws eks describe-cluster --name $CLUSTER_NAME --region $AWS_REGION \
--query 'cluster.accessConfig.authenticationMode' --output text
CONFIG_MAP→ use aws-auth ConfigMapAPIorAPI_AND_CONFIG_MAP→ use Access EntriesAPIonly → Access Entries required
If you are in CONFIG_MAP mode and lack kubectl access
Option A: Assume an existing cluster admin role
If the cluster is CONFIG_MAP only, aws eks list-access-entries will fail. Use IAM to search for likely admin roles instead (same approach as in 01-verify-aws-access.md).
Search for a role
# Search for roles with cluster name in them
aws iam list-roles --region $AWS_REGION \
| jq -r --arg CLUSTER "$CLUSTER_NAME" '.Roles[] | select(.RoleName | contains($CLUSTER)) | {RoleName, Arn}'
# Common Altinity BYOC role patterns to look for:
# - <environment>-<cluster-id>-eks-admin
# - altinity-<id>-eks-admin
# - <cluster-name>-admin
# Example search for Altinity patterns
aws iam list-roles --region $AWS_REGION \
| jq -r '.Roles[] | select(.RoleName | test(".*eks-admin|eks.*admin")) | {RoleName, Arn}'
# Ensure you're copying the ARN and NOT the RoleName
export EKS_ADMIN_ROLE_ARN="arn:aws:iam::123456789012:role/your-eks-admin"
aws eks update-kubeconfig --region $AWS_REGION --name $CLUSTER_NAME \
--role-arn $EKS_ADMIN_ROLE_ARN
kubectl get nodes
If assume-role is denied and you have IAM permissions, update the role trust policy to allow your IAM principal:
# Get your current IAM principal ARN
export IAM_ARN=$(aws sts get-caller-identity --query Arn --output text)
# If you are using AWS SSO, your caller identity is an assumed-role ARN.
# Convert it to the IAM role ARN for trust policies.
# Example input:
# arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_AdministratorAccess_09dece98e690653b/user@example.com
# Example output:
# arn:aws:iam::123456789012:role/AWSReservedSSO_AdministratorAccess_09dece98e690653b
if echo "$IAM_ARN" | grep -q ':assumed-role/'; then
IAM_ARN=$(echo "$IAM_ARN" | sed 's|arn:aws:sts::|arn:aws:iam::|' | sed 's|:assumed-role/|:role/|' | cut -d'/' -f1-2)
fi
# Update the role trust policy to allow your principal to assume it
cat > /tmp/assume-role-policy.json <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": "${IAM_ARN}"},
"Action": "sts:AssumeRole"
}]
}
EOF
aws iam update-assume-role-policy \
--role-name $(basename $EKS_ADMIN_ROLE_ARN) \
--policy-document file:///tmp/assume-role-policy.json
# Try kube access after the upgrade
aws eks update-kubeconfig --region $AWS_REGION --name $CLUSTER_NAME \
--role-arn $EKS_ADMIN_ROLE_ARN
If you still get AccessDenied after updating the trust policy, you also need IAM permission to call sts:AssumeRole for that role (ask your AWS admin to grant it or use a role that already trusts your SSO role).
Option B: Use eksctl (if installed)
eksctl create iamidentitymapping \
--cluster $CLUSTER_NAME \
--region $AWS_REGION \
--arn $IAM_ARN \
--username admin \
--group system:masters \
--no-duplicate-arns
Option C: Use SSM on a node to edit aws-auth
aws ec2 describe-instances \
--filters "Name=tag:eks:cluster-name,Values=$CLUSTER_NAME" \
--query 'Reservations[*].Instances[*].[InstanceId,PrivateIpAddress]' \
--output table \
--region $AWS_REGION
Option D: Ask the cluster creator or Altinity Support
Contact Altinity support if you cannot access the cluster at all.
Confirm Kubectl access
Test Basic Cluster Access
# Get cluster information
kubectl cluster-info
# Expected output:
# Kubernetes control plane is running at <https://XXXXX.gr7.us-east-1.eks.amazonaws.com>
# CoreDNS is running at <https://XXXXX.gr7.us-east-1.eks.amazonaws.com/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy>
# List cluster nodes
kubectl get nodes
# Expected output: List of worker nodes with STATUS "Ready"
# NAME STATUS ROLES AGE VERSION
# ip-10-0-1-123.ec2.internal Ready <none> 30d v1.28.5-eks-abc123
Verify Your Kubernetes Identity
# Check what identity Kubernetes sees you as
kubectl auth whoami
# Example output:
# ATTRIBUTE VALUE
# Username admin
# Groups [system:masters system:authenticated]
Verify Admin Permissions
# Check if you have full cluster admin permissions
kubectl auth can-i '*' '*' --all-namespaces
# MUST return: yes
# Test specific permissions
kubectl auth can-i create pods
kubectl auth can-i delete nodes
kubectl auth can-i get secrets --all-namespaces
# All should return: yes