Cluster authentication

Amazon EKS uses IAM to provide authentication to your Kubernetes cluster (through the aws eks get-token command, available in version 1.16.156 or later of the AWS CLI, or the AWS IAM Authenticator for Kubernetes), but it still relies on native Kubernetes Role Based Access Control (RBAC) for authorization. This means that IAM is only used for authentication of valid IAM entities. All permissions for interacting with your Amazon EKS cluster's Kubernetes API is managed through the native Kubernetes RBAC system. The following picture shows this relationship.

Note

Amazon EKS uses the authentication token to make the sts:GetCallerIdentity call. As a result, AWS CloudTrail events with the name GetCallerIdentity from the source sts.amazonaws.com can have Amazon EKS service IP addresses for their source IP address.

Topics

• Enabling IAM principal access to your cluster
• Authenticating users for your cluster from an OpenID Connect identity provider
• Creating or updating a kubeconfig file for an Amazon EKS cluster
• Installing aws-iam-authenticator
• Default Amazon EKS created Kubernetes roles and users