Get Started Legacy cluster access configuration

Grant IAM users access to Kubernetes with EKS access entries

What is EKS access entries?

EKS access entries is the best way to grant users access to the Kubernetes API. For example, you can use access entries to grant developers access to use kubectl.

Fundamentally, an EKS access entry associates a set of Kubernetes permissions with an IAM identity, such as an IAM role. For example, a developer may assume an IAM role and use that to authenticate to an EKS Cluster.

You can attach Kubernetes permissions to access entries in two ways:

Use an access policy. Access policies are pre-defined Kubernetes permissions templates maintained by AWS. For more information, see Review access policy permissions.
Reference a Kubernetes group. If you associate an IAM Identity with a Kubernetes group, you can create Kubernetes resources that grant the group permissions. For more information, see Using RBAC Authorization in the Kubernetes documentation.

Advantages

Amazon EKS cluster access management enables you to control authentication and authorization for your Kubernetes clusters directly through Amazon EKS APIs. This feature simplifies access management by eliminating the need to switch between AWS and Kubernetes APIs when managing user permissions. Using access entries and access policies, you can define granular permissions for AWS IAM principals, including the ability to modify or revoke cluster-admin permissions from the cluster creator.

The feature integrates with infrastructure as code (IaC) tools like AWS CloudFormation, Terraform, and AWS CDK, allowing you to define access configurations during cluster creation. If misconfigurations occur, you can restore cluster access through the Amazon EKS API without requiring direct Kubernetes API access. This centralized approach reduces operational overhead and improves security by leveraging existing AWS IAM capabilities such as CloudTrail audit logging and multi-factor authentication.

Get Started

Determine the IAM Identity and Access policy you want to use.
- Review access policy permissions
Enable EKS Access Entries on your cluster. Confirm you have a supported platform version.
- Change authentication mode to use access entries
Create an access entry that associates an IAM Identity with Kubernetes permission.
- Create access entries
Authenticate to the cluster using the IAM identity.
- Set up AWS CLI
- Set up kubectl and eksctl

Legacy cluster access configuration

When you enable EKS access entries on clusters created before this feature was introduced (clusters with initial platform versions earlier than those specified in Platform Version Requirements), EKS automatically creates an access entry that reflects pre-existing permissions. This access entry shows:

The IAM identity that originally created the cluster
The administrative permissions granted to that identity during cluster creation

Note

Previously, this administrative access was granted automatically and couldn’t be modified. With EKS access entries enabled, you can now view and delete this legacy access configuration.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Kubernetes API access

Associate access policies