Help improve this page
Want to contribute to this user guide? Scroll to the bottom of this page and select Edit this page on GitHub. Your contributions will help make our user guide better for everyone.
Associate access policies with access entries
You can assign one or more access policies to access
entries of type
STANDARD
. Amazon EKS automatically grants the other types of access entries the
permissions required to function properly in your cluster. Amazon EKS access policies include
Kubernetes permissions, not IAM permissions. Before associating an access policy to an access
entry, make sure that you're familiar with the Kubernetes permissions included in each access
policy. For more information, see Access policy permissions. If none of the access policies meet your
requirements, then don't associate an access policy to an access entry. Instead, specify one
or more group names for the access entry and create and
manage Kubernetes role-based access control objects. For more information, see Create access entries.
Prerequisites
-
An existing access entry. To create one, see Create access entries.
-
An AWS Identity and Access Management role or user with the following permissions:
ListAccessEntries
,DescribeAccessEntry
,UpdateAccessEntry
,ListAccessPolicies
,AssociateAccessPolicy
, andDisassociateAccessPolicy
. For more information, see Actions defined by Amazon Elastic Kubernetes Service in the Service Authorization Reference.
Before associating access policies with access entries, consider the following requirements:
-
You can associate multiple access policies to each access entry, but you can only associate each policy to an access entry once. If you associate multiple access policies, the access entry's IAM principal has all permissions included in all associated access policies.
-
You can scope an access policy to all resources on a cluster or by specifying the name of one or more Kubernetes namespaces. You can use wildcard characters for a namespace name. For example, if you want to scope an access policy to all namespaces that start with
dev-
, you can specifydev-*
as a namespace name. Make sure that the namespaces exist on your cluster and that your spelling matches the actual namespace name on the cluster. Amazon EKS doesn't confirm the spelling or existence of the namespaces on your cluster. -
You can change the access scope for an access policy after you associate it to an access entry. If you've scoped the access policy to Kubernetes namespaces, you can add and remove namespaces for the association, as necessary.
-
If you associate an access policy to an access entry that also has group names specified, then the IAM principal has all the permissions in all associated access policies. It also has all the permissions in any Kubernetes
Role
orClusterRole
object that is specified in any KubernetesRole
andRoleBinding
objects that specify the group names. -
If you run the
kubectl auth can-i --list
command, you won't see any Kubernetes permissions assigned by access policies associated with an access entry for the IAM principal you're using when you run the command. The command only shows Kubernetes permissions if you've granted them in KubernetesRole
orClusterRole
objects that you've bound to the group names or username that you specified for an access entry. -
If you impersonate a Kubernetes user or group when interacting with Kubernetes objects on your cluster, such as using the
kubectl
command with--as
orusername
--as-group
, you're forcing the use of Kubernetes RBAC authorization. As a result, the IAM principal has no permissions assigned by any access policies associated to the access entry. The only Kubernetes permissions that the user or group that the IAM principal is impersonating has are the Kubernetes permissions that you've granted them in Kubernetesgroup-name
Role
orClusterRole
objects that you've bound to the group names or user name. For your IAM principal to have the permissions in associated access policies, don't impersonate a Kubernetes user or group. The IAM principal will still also have any permissions that you've granted them in the KubernetesRole
orClusterRole
objects that you've bound to the group names or user name that you specified for the access entry. For more information, see User impersonationin the Kubernetes documentation.
You can associate an access policy to an access entry using the AWS Management Console or the AWS CLI.
Access policy permissions
Access policies include rules
that contain Kubernetes verbs
(permissions) and resources
. Access policies don't include IAM
permissions or resources. Similar to Kubernetes Role
and
ClusterRole
objects, access policies only include allow
rules
. You can't modify the contents of an access policy. You can't create
your own access policies. If the permissions in the access policies don't meet your
needs, then create Kubernetes RBAC objects and specify group
names for your access entries. For more information, see Create access entries. The permissions contained in access policies
are similar to the permissions in the Kubernetes user-facing cluster roles. For more
information, see User-facing roles
Choose any access policy to see its contents. Each row of each table in each access policy is a separate rule.
This access policy includes permissions that grant an IAM principal most permissions to resources. When associated to an access entry, its access scope is typically one or more Kubernetes namespaces. If you want an IAM principal to have administrator access to all resources on your cluster, associate the AmazonEKSClusterAdminPolicy access policy to your access entry instead.
ARN –
arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminPolicy
Kubernetes API groups | Kubernetes resources | Kubernetes verbs (permissions) |
---|---|---|
apps |
daemonsets , deployments ,
deployments/rollback ,
deployments/scale , replicasets ,
replicasets/scale , statefulsets ,
statefulsets/scale |
create , delete ,
deletecollection , patch ,
update |
apps |
controllerrevisions , daemonsets ,
daemonsets/status , deployments ,
deployments/scale ,
deployments/status , replicasets ,
replicasets/scale ,
replicasets/status , statefulsets ,
statefulsets/scale ,
statefulsets/status |
get , list ,
watch |
authorization.k8s.io |
localsubjectaccessreviews |
create |
autoscaling |
horizontalpodautoscalers |
create , delete ,
deletecollection , patch ,
update |
autoscaling |
horizontalpodautoscalers ,
horizontalpodautoscalers/status |
get , list ,
watch |
batch |
cronjobs , jobs |
create , delete ,
deletecollection , patch ,
update |
batch |
cronjobs , cronjobs/status ,
jobs , jobs/status |
get , list ,
watch |
discovery.k8s.io |
endpointslices |
get , list ,
watch |
extensions |
daemonsets , deployments ,
deployments/rollback ,
deployments/scale , ingresses ,
networkpolicies , replicasets ,
replicasets/scale ,
replicationcontrollers/scale |
create , delete ,
deletecollection , patch ,
update |
extensions |
daemonsets , daemonsets/status ,
deployments , deployments/scale ,
deployments/status , ingresses ,
ingresses/status , networkpolicies ,
replicasets , replicasets/scale ,
replicasets/status ,
replicationcontrollers/scale |
get , list ,
watch |
networking.k8s.io |
ingresses , ingresses/status ,
networkpolicies |
get , list ,
watch |
networking.k8s.io |
ingresses , networkpolicies |
create , delete ,
deletecollection , patch ,
update |
policy |
poddisruptionbudgets |
create , delete ,
deletecollection , patch ,
update |
policy |
poddisruptionbudgets ,
poddisruptionbudgets/status |
get , list ,
watch |
rbac.authorization.k8s.io |
rolebindings , roles |
create , delete ,
deletecollection , get ,
list , patch , update ,
watch |
configmaps , endpoints ,
persistentvolumeclaims ,
persistentvolumeclaims/status ,
pods , replicationcontrollers ,
replicationcontrollers/scale ,
serviceaccounts , services ,
services/status |
get ,list ,
watch |
|
pods/attach , pods/exec ,
pods/portforward , pods/proxy ,
secrets , services/proxy |
get , list ,
watch |
|
configmaps , events ,
persistentvolumeclaims ,
replicationcontrollers ,
replicationcontrollers/scale ,
secrets , serviceaccounts ,
services , services/proxy |
create , delete ,
deletecollection , patch ,
update |
|
pods , pods/attach ,
pods/exec , pods/portforward ,
pods/proxy |
create , delete ,
deletecollection , patch ,
update |
|
serviceaccounts |
impersonate |
|
bindings , events ,
limitranges , namespaces/status ,
pods/log , pods/status ,
replicationcontrollers/status ,
resourcequotas ,
resourcequotas/status |
get , list ,
watch |
|
namespaces |
get ,list ,
watch |
This access policy includes permissions that grant an IAM principal administrator access to a cluster. When associated to an access entry, its access scope is typically the cluster, rather than a Kubernetes namespace. If you want an IAM principal to have a more limited administrative scope, consider associating the AmazonEKSAdminPolicy access policy to your access entry instead.
ARN –
arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy
Kubernetes API groups | Kubernetes nonResourceURLs | Kubernetes resources | Kubernetes verbs (permissions) |
---|---|---|---|
* |
* |
* |
|
* |
* |
This access policy includes permissions that grant an IAM principal access
to list/view all resources in a cluster. Note this includes Kubernetes
Secrets.
ARN –
arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminViewPolicy
Kubernetes API groups | Kubernetes resources | Kubernetes verbs (permissions) |
---|---|---|
* |
* |
|
This access policy includes permissions that allow an IAM principal to edit most Kubernetes resources.
ARN –
arn:aws:eks::aws:cluster-access-policy/AmazonEKSEditPolicy
Kubernetes API groups | Kubernetes resources | Kubernetes verbs (permissions) |
---|---|---|
apps |
daemonsets , deployments ,
deployments/rollback ,
deployments/scale , replicasets ,
replicasets/scale , statefulsets ,
statefulsets/scale |
create , delete ,
deletecollection , patch ,
update |
apps |
controllerrevisions , daemonsets ,
daemonsets/status , deployments ,
deployments/scale ,
deployments/status , replicasets ,
replicasets/scale ,
replicasets/status , statefulsets ,
statefulsets/scale ,
statefulsets/status |
get , list ,
watch |
autoscaling |
horizontalpodautoscalers ,
horizontalpodautoscalers/status |
get , list ,
watch |
autoscaling |
horizontalpodautoscalers |
create , delete ,
deletecollection , patch ,
update |
batch |
cronjobs , jobs |
create , delete ,
deletecollection , patch ,
update |
batch |
cronjobs , cronjobs/status ,
jobs , jobs/status |
get , list ,
watch |
discovery.k8s.io |
endpointslices |
get , list ,
watch |
extensions |
daemonsets , deployments ,
deployments/rollback ,
deployments/scale , ingresses ,
networkpolicies , replicasets ,
replicasets/scale ,
replicationcontrollers/scale |
create , delete ,
deletecollection , patch ,
update |
extensions |
daemonsets , daemonsets/status ,
deployments , deployments/scale ,
deployments/status , ingresses ,
ingresses/status , networkpolicies ,
replicasets , replicasets/scale ,
replicasets/status ,
replicationcontrollers/scale |
get , list ,
watch |
networking.k8s.io |
ingresses , networkpolicies |
create , delete ,
deletecollection , patch ,
update |
networking.k8s.io |
ingresses , ingresses/status ,
networkpolicies |
get , list ,
watch |
policy |
poddisruptionbudgets |
create , delete ,
deletecollection , patch ,
update |
policy |
poddisruptionbudgets ,
poddisruptionbudgets/status |
get , list ,
watch |
namespaces |
get , list ,
watch |
|
pods/attach , pods/exec ,
pods/portforward , pods/proxy ,
secrets , services/proxy |
get , list ,
watch |
|
serviceaccounts |
impersonate |
|
pods , pods/attach ,
pods/exec , pods/portforward ,
pods/proxy |
create , delete ,
deletecollection , patch ,
update |
|
configmaps , events ,
persistentvolumeclaims ,
replicationcontrollers ,
replicationcontrollers/scale ,
secrets , serviceaccounts ,
services , services/proxy |
create , delete ,
deletecollection , patch ,
update |
|
configmaps , endpoints ,
persistentvolumeclaims ,
persistentvolumeclaims/status ,
pods , replicationcontrollers ,
replicationcontrollers/scale ,
serviceaccounts , services ,
services/status |
get , list ,
watch |
|
bindings , events ,
limitranges , namespaces/status ,
pods/log , pods/status ,
replicationcontrollers/status ,
resourcequotas ,
resourcequotas/status |
get , list ,
watch |
This access policy includes permissions that allow an IAM principal to view most Kubernetes resources.
ARN –
arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy
Kubernetes API groups | Kubernetes resources | Kubernetes verbs (permissions) |
---|---|---|
apps |
controllerrevisions , daemonsets ,
daemonsets/status , deployments ,
deployments/scale ,
deployments/status , replicasets ,
replicasets/scale ,
replicasets/status , statefulsets ,
statefulsets/scale ,
statefulsets/status |
get , list ,
watch |
autoscaling |
horizontalpodautoscalers ,
horizontalpodautoscalers/status |
get , list ,
watch |
batch |
cronjobs , cronjobs/status ,
jobs , jobs/status |
get , list ,
watch |
discovery.k8s.io |
endpointslices |
get , list ,
watch |
extensions |
daemonsets , daemonsets/status ,
deployments , deployments/scale ,
deployments/status , ingresses ,
ingresses/status , networkpolicies ,
replicasets , replicasets/scale ,
replicasets/status ,
replicationcontrollers/scale |
get , list ,
watch |
networking.k8s.io |
ingresses , ingresses/status ,
networkpolicies |
get , list ,
watch |
policy |
poddisruptionbudgets ,
poddisruptionbudgets/status |
get , list ,
watch |
configmaps , endpoints ,
persistentvolumeclaims ,
persistentvolumeclaims/status ,
pods , replicationcontrollers ,
replicationcontrollers/scale ,
serviceaccounts , services ,
services/status |
get , list ,
watch |
|
bindings , events ,
limitranges , namespaces/status ,
pods/log , pods/status ,
replicationcontrollers/status ,
resourcequotas ,
resourcequotas/status |
get , list ,
watch |
|
namespaces |
get , list ,
watch |
Access policy updates
View details about updates to access policies, since they were introduced. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon EKS Document history page.
Change | Description | Date |
---|---|---|
Add AmazonEKSAdminViewPolicy |
Add a new policy for expanded view access, including resources like Secrets. | April 23, 2024 |
Access policies introduced. |
Amazon EKS introduced access policies. |
May 29, 2023 |