Grant temporary access to Imply Lumi Enterprise through Teleport
AI summary
About AI summaries.
Teleport is a certificate authority and identity-aware access proxy that supports protocols such as SSH, HTTPS, and the Kubernetes API. It provides secure access to Kubernetes environments and handles both authentication and authorization.
During a support session, an Imply support engineer may need temporary access to your Amazon Elastic Kubernetes Service (EKS) cluster that hosts Imply Lumi Enterprise to troubleshoot an issue or verify the health of your deployment. You can use Teleport to grant secure short-lived access to the EKS cluster while maintaining full control throughout the process.
This topic explains how to grant temporary access to your Lumi Enterprise EKS cluster through Teleport during a support session.
Prerequisites
Before your support session, make sure you have the following tools installed and configured:
- kubectl
- AWS CLI configured with an Identity and Access Management (IAM) role that has administrative access to the AWS account where your EKS cluster is deployed.
Required permissions
To deploy a temporary Teleport agent, you need an IAM role with administrative access, including the following permissions, in the EKS cluster:
DescribeClusterto updatekubeconfigListAccessEntriesto view available access entriesCreateAccessEntryto add new access entriesAssociateAccessEntryto grant access
For more information, see the Amazon EKS Actions API reference.
The following example shows a minimal IAM policy that grants these permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:DescribeCluster",
"eks:ListAccessEntries",
"eks:CreateAccessEntry",
"eks:AssociateAccessEntry"
],
"Resource": "*"
}
]
}
Connect to the EKS cluster
You use the kubectl command-line tool to communicate with your EKS cluster through the Kubernetes API.
kubectl uses kubeconfig files to connect to the API server.
For more information, see Access cluster with kubectl.
To create or update a kubeconfig file for your cluster, run the following command.
Replace REGION_CODE and CLUSTER_NAME with your own values.
aws eks update-kubeconfig --region REGION_CODE --name CLUSTER_NAME
Once configured, you can use kubectl to deploy a Teleport agent inside the EKS cluster.
If you encounter access type errors, see Troubleshoot EKS cluster access. We recommend that you resolve any missing permissions before the support session to avoid delays.
Grant access through Teleport
You grant an Imply support engineer secure, time-limited access to your EKS cluster through a temporary Teleport agent.
The process works as follows:
-
An Imply support engineer generates a short-lived Teleport join token and a corresponding Teleport agent manifest for your environment. Both are valid for one hour.
-
The engineer uploads the manifest to an Amazon S3 bucket and generates a pre-signed URL.
-
The engineer shares the URL and a
kubectl applycommand with you. -
You use the provided command to download and apply the manifest to your EKS cluster. This deploys the Teleport agent.
Example command:
curl -O "https://imply-teleport-manifests.s3.amazonaws.com/lumi-ent/teleport-agent-manifest.yaml?AWSAccessKeyId=REDACTED&Signature=REDACTED&x-amz-security-token=REDACTED"
kubectl apply -f teleport-agent-manifest.yaml -
The engineer can now securely access your EKS cluster through Teleport.
Revoke access
You can revoke access at any time by deleting the Teleport agent from your EKS cluster.
Replace MANIFEST with your manifest file name.
kubectl delete -f MANIFEST.yaml
This removes all Teleport agent resources from your EKS cluster.
Audit logs
Teleport records a complete audit log of all commands executed during the session. Imply can provide you with a secure link to retrieve these logs upon request.
Troubleshoot EKS cluster access
If you run into permissions errors when trying to deploy the Teleport agent, your IAM role may not have sufficient permissions. This section explains how to troubleshoot and resolve those issues.
Verify your access level
To verify that your IAM role has administrative privileges in the EKS cluster:
kubectl auth can-i '*' '*' --all-namespaces
- If the output is
yes, you have full administrative access. - If the output is
no, you don't have the required permissions. To correct this issue, see Resolve missing access.
Resolve missing access
If your IAM role doesn't have administrative permissions, you can either associate it with an existing access entry that has administrative access, such as cluster-admin, or create a new access entry.
For more information, see Access entries in Amazon EKS.
In the following commands, replace all placeholders with your own values.
To view existing access entries associated with the EKS cluster:
aws eks list-access-entries --cluster-name CLUSTER_NAME
To associate your IAM role with an existing access entry:
aws eks associate-access-entry \
--cluster-name CLUSTER_NAME \
--principal-arn arn:aws:iam::ACCOUNT_ID:user/USERNAME \
--access-entry-name ADMIN_ACCESS_ENTRY_NAME
To create a new access entry:
aws eks create-access-entry \
--cluster-name CLUSTER_NAME \
--principal-arn arn:aws:iam::ACCOUNT_ID:user/USERNAME \
--access-entry-name NEW_ACCESS_ENTRY_NAME \
--permissions cluster-admin
- If you are an AWS SSO user, make sure you use the correct SSO principal ARN.
- If you don’t have permissions to create or associate access entries, contact your cluster administrator to run the commands for you.
After updating your access entry, verify your access:
kubectl auth can-i '*' '*' --all-namespaces
If successful, kubectl returns yes.
Learn more
See the following topics for more information:
- Glossary for definitions of Lumi terms.
- Lumi Management Console for an overview of the Lumi Management Console application.