AWS and Network Access

Verifying your AWS and Network access before Deleting Anything

Before we take the next step, we’ll need to verify that you have access and permissions for your AWS environment and network.

Step 1: Verify AWS CLI

# Verify AWS CLI version
aws --version

# Required: v1.16.156+ or v2.0+
# Example output: aws-cli/2.13.0 Python/3.11.4 Linux/5.15.0 exe/x86_64.ubuntu.22

If version is too old, update.

Step 2: Verify AWS identity and permissions

# Check your current AWS identity
aws sts get-caller-identity

Verify:

  • Account is your AWS account
  • Arn matches your user or role
  • UserId is present

Save your IAM ARN for later steps:

export IAM_ARN=$(aws sts get-caller-identity --query Arn --output text)
echo "export IAM_ARN='$IAM_ARN'" >> ~/.clickhouse-disconnect-env
echo "Your IAM ARN: $IAM_ARN"

Set your cluster details…

export CLUSTER_NAME="your-eks-cluster-name"
export AWS_REGION="us-east-1"
cat >> ~/.clickhouse-disconnect-env <<EOF
export CLUSTER_NAME='$CLUSTER_NAME'
export AWS_REGION='$AWS_REGION'
EOF

…or Find the cluster by tags

aws eks list-clusters --region $AWS_REGION

TAG_KEY="altinity:cloud/env"
TAG_VALUE="altinity-env-name"

CLUSTER_NAME=""
REGION=""

for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
  echo "Searching in region: $region" >&2
  for cluster in $(aws eks list-clusters --region $region --query 'clusters[]' --output text 2>/dev/null); do
    value=$(aws eks describe-cluster --region $region --name $cluster \
      --query "cluster.tags.\\"${TAG_KEY}\\"" --output text 2>/dev/null)
    if [ "$value" == "$TAG_VALUE" ]; then
      CLUSTER_NAME="$cluster"
      REGION="$region"
      break 2
    fi
  done
done

if [ -z "$CLUSTER_NAME" ]; then
  echo "No cluster found with tag ${TAG_KEY}=${TAG_VALUE}"
  exit 1
else
  echo "Found cluster: $CLUSTER_NAME in region: $REGION"
  cat >> ~/.clickhouse-disconnect-env <<EOF
export CLUSTER_NAME='$CLUSTER_NAME'
export AWS_REGION='$AWS_REGION'
EOF
fi

Test EKS access

aws eks describe-cluster --name $CLUSTER_NAME --region $AWS_REGION

If you see AccessDenied, request at least:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "eks:DescribeCluster",
        "eks:ListClusters",
        "eks:ListAccessEntries"
      ],
      "Resource": "*"
    }
  ]
}

Step 3: Verify network access to the EKS API

Most Altinity BYOC EKS clusters are private-only. kubectl will only work from inside the VPC or after enabling public access.

source ~/.clickhouse-disconnect-env

Check endpoint configuration

aws eks describe-cluster --name $CLUSTER_NAME --region $AWS_REGION \
    --query 'cluster.resourcesVpcConfig.{EndpointPublicAccess:endpointPublicAccess,EndpointPrivateAccess:endpointPrivateAccess}' \
    --output table

Get endpoint and VPC information

export EKS_ENDPOINT=$(aws eks describe-cluster --name $CLUSTER_NAME --region $AWS_REGION \
    --query 'cluster.endpoint' --output text)
echo "export EKS_ENDPOINT='$EKS_ENDPOINT'" >> ~/.clickhouse-disconnect-env
echo "EKS API Endpoint: $EKS_ENDPOINT"

export EKS_HOST=$(echo $EKS_ENDPOINT | sed 's|https://||')
echo "export EKS_HOST='$EKS_HOST'" >> ~/.clickhouse-disconnect-env
echo "EKS Hostname: $EKS_HOST"

export VPC_ID=$(aws eks describe-cluster --name $CLUSTER_NAME --region $AWS_REGION \
    --query 'cluster.resourcesVpcConfig.vpcId' --output text)
echo "VPC ID: $VPC_ID"
echo "export VPC_ID='$VPC_ID'" >> ~/.clickhouse-disconnect-env

Choose a network access method

  • Bastion host
  • Temporary EC2 instance
  • Cloud9 in the VPC
  • VPN into the VPC

Examples:

# Bastion host connectivity check
curl -k $EKS_ENDPOINT
# Temporary EC2 in a public
VPC_ID=<bastion-host-id>
PUBLIC_SUBNET=$(aws ec2 describe-subnets \
    --filters "Name=vpc-id,Values=$VPC_ID" "Name=map-public-ip-on-launch,Values=true" \
    --region $AWS_REGION \
    --query 'Subnets[0].SubnetId' --output text)
# Cloud9 connectivity check
curl -k $EKS_ENDPOINT

Option B: Enable public endpoint access (only if required)

MY_IP=$(curl -s https://checkip.amazonaws.com)
# Remove publicAccessCidrs=... if you want to leave access open to the world
UPDATE_ID=$(aws eks update-cluster-config \
  --name "$CLUSTER_NAME" \
  --region "$AWS_REGION" \
  --resources-vpc-config endpointPublicAccess=true,endpointPrivateAccess=true,publicAccessCidrs="${MY_IP}/32" \
  --query 'update.id' --output text)

# Wait for the access to complete
aws eks wait update-complete \
  --name "$CLUSTER_NAME" \
  --region "$AWS_REGION" \
  --update-id "$UPDATE_ID"

# Check connectivity
curl -k $EKS_ENDPOINT

Option C: SSH tunnel (advanced)

ssh -L 8443:$EKS_HOST:443 ec2-user@bastion-ip

Test network connectivity

timeout 5 bash -c "cat < /dev/null > /dev/tcp/${EKS_HOST}/443" && \
    echo "✓ Can reach EKS endpoint" || \
    echo "✗ Cannot reach EKS endpoint"

curl -k $EKS_ENDPOINT

Expected: Forbidden or Unauthorized (network works). Timeout means networking is blocked.

Step 4: Configure kubectl access

After network access is confirmed, configure cluster access based on the authentication mode.

aws eks describe-cluster --name $CLUSTER_NAME --region $AWS_REGION \
    --query 'cluster.accessConfig.authenticationMode' --output text
  • CONFIG_MAP → use aws-auth ConfigMap
  • API or API_AND_CONFIG_MAP → use Access Entries
  • API only → Access Entries required

If you are in CONFIG_MAP mode and lack kubectl access

Option A: Assume an existing cluster admin role

If the cluster is CONFIG_MAP only, aws eks list-access-entries will fail. Use IAM to search for likely admin roles instead (same approach as in 01-verify-aws-access.md).

Search for a role

# Search for roles with cluster name in them
aws iam list-roles --region $AWS_REGION \
  | jq -r --arg CLUSTER "$CLUSTER_NAME" '.Roles[] | select(.RoleName | contains($CLUSTER)) | {RoleName, Arn}'

# Common Altinity BYOC role patterns to look for:
# - <environment>-<cluster-id>-eks-admin
# - altinity-<id>-eks-admin
# - <cluster-name>-admin

# Example search for Altinity patterns
aws iam list-roles --region $AWS_REGION \
  | jq -r '.Roles[] | select(.RoleName | test(".*eks-admin|eks.*admin")) | {RoleName, Arn}'
# Ensure you're copying the ARN and NOT the RoleName
export EKS_ADMIN_ROLE_ARN="arn:aws:iam::123456789012:role/your-eks-admin"

aws eks update-kubeconfig --region $AWS_REGION --name $CLUSTER_NAME \
  --role-arn $EKS_ADMIN_ROLE_ARN
kubectl get nodes

If assume-role is denied and you have IAM permissions, update the role trust policy to allow your IAM principal:

# Get your current IAM principal ARN
export IAM_ARN=$(aws sts get-caller-identity --query Arn --output text)

# If you are using AWS SSO, your caller identity is an assumed-role ARN.
# Convert it to the IAM role ARN for trust policies.
# Example input:
#   arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_AdministratorAccess_09dece98e690653b/user@example.com
# Example output:
#   arn:aws:iam::123456789012:role/AWSReservedSSO_AdministratorAccess_09dece98e690653b
if echo "$IAM_ARN" | grep -q ':assumed-role/'; then
  IAM_ARN=$(echo "$IAM_ARN" | sed 's|arn:aws:sts::|arn:aws:iam::|' | sed 's|:assumed-role/|:role/|' | cut -d'/' -f1-2)
fi

# Update the role trust policy to allow your principal to assume it
cat > /tmp/assume-role-policy.json <<EOF
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {"AWS": "${IAM_ARN}"},
    "Action": "sts:AssumeRole"
  }]
}
EOF

aws iam update-assume-role-policy \
  --role-name $(basename $EKS_ADMIN_ROLE_ARN) \
  --policy-document file:///tmp/assume-role-policy.json

# Try kube access after the upgrade
aws eks update-kubeconfig --region $AWS_REGION --name $CLUSTER_NAME \
  --role-arn $EKS_ADMIN_ROLE_ARN

If you still get AccessDenied after updating the trust policy, you also need IAM permission to call sts:AssumeRole for that role (ask your AWS admin to grant it or use a role that already trusts your SSO role).

Option B: Use eksctl (if installed)

eksctl create iamidentitymapping \
  --cluster $CLUSTER_NAME \
  --region $AWS_REGION \
  --arn $IAM_ARN \
  --username admin \
  --group system:masters \
  --no-duplicate-arns

Option C: Use SSM on a node to edit aws-auth

aws ec2 describe-instances \
  --filters "Name=tag:eks:cluster-name,Values=$CLUSTER_NAME" \
  --query 'Reservations[*].Instances[*].[InstanceId,PrivateIpAddress]' \
  --output table \
  --region $AWS_REGION

Option D: Ask the cluster creator or Altinity Support

Contact Altinity support if you cannot access the cluster at all.

Confirm Kubectl access

Test Basic Cluster Access

# Get cluster information
kubectl cluster-info

# Expected output:
# Kubernetes control plane is running at <https://XXXXX.gr7.us-east-1.eks.amazonaws.com>
# CoreDNS is running at <https://XXXXX.gr7.us-east-1.eks.amazonaws.com/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy>

# List cluster nodes
kubectl get nodes

# Expected output: List of worker nodes with STATUS "Ready"
# NAME                          STATUS   ROLES    AGE   VERSION
# ip-10-0-1-123.ec2.internal    Ready    <none>   30d   v1.28.5-eks-abc123

Verify Your Kubernetes Identity

# Check what identity Kubernetes sees you as
kubectl auth whoami

# Example output:
# ATTRIBUTE   VALUE
# Username    admin
# Groups      [system:masters system:authenticated]

Verify Admin Permissions

# Check if you have full cluster admin permissions
kubectl auth can-i '*' '*' --all-namespaces

# MUST return: yes

# Test specific permissions
kubectl auth can-i create pods
kubectl auth can-i delete nodes
kubectl auth can-i get secrets --all-namespaces

# All should return: yes

👉 Next: Replacing Edge-Proxy