Learn how access control works in Amazon EKS
Learn how to manage access to your Amazon EKS cluster. Using Amazon EKS requires knowledge of how both Kubernetes and AWS Identity and Access Management (AWS IAM) handle access control.
This section includes:
Grant IAM users and roles access to Kubernetes APIs — Learn how to enable applications or users to authenticate to the Kubernetes API. You can use access entries, the aws-auth ConfigMap, or an external OIDC provider.
View Kubernetes resources in the AWS Management Console — Learn how to configure the AWS Management Console to communicate with your Amazon EKS cluster. Use the console to view Kubernetes resources in the cluster, such as namespaces, nodes, and Pods.
Connect kubectl to an EKS cluster by creating a kubeconfig file — Learn how to configure kubectl to communicate with your Amazon EKS cluster. Use the AWS CLI to create a kubeconfig file.
Grant Kubernetes workloads access to AWS using Kubernetes Service Accounts — Learn how to associate a Kubernetes service account with AWS IAM Roles. You can use Pod Identity or IAM Roles for Service Accounts (IRSA).
Common Tasks
-
Grant developers access to the Kubernetes API. View Kubernetes resources in the AWS Management Console.
-
Solution: Use access entries to associate Kubernetes RBAC permissions with AWS IAM Users or Roles.
-
-
Configure kubectl to talk to an Amazon EKS cluster using AWS Credentials.
-
Solution: Use the AWS CLI to create a kubeconfig file.
-
-
Use an external identity provider, such as Ping Identity, to authenticate users to the Kubernetes API.
-
Solution: Link an external OIDC provider.
-
-
Grant workloads on your Kubernetes cluster the ability to call AWS APIs.
-
Solution: Use Pod Identity to associate an AWS IAM Role to a Kubernetes Service Account.
-
Background
-
Review the Kubernetes Role Based Access Control (RBAC) Model
-
For more information about managing access to AWS resources, see the AWS IAM User Guide. Alternatively, take a free introductory training on using AWS IAM
.
Considerations for EKS Auto Mode
EKS Auto Mode integrates with EKS Pod Identity and EKS EKS access entries.
-
EKS Auto Mode uses access entries to grant the EKS control plane Kubernetes permissions. For example, the access policies enable EKS Auto Mode to read information about network endpoints and services.
-
You cannot disable access entries on an EKS Auto Mode cluster.
-
You can optionally enable the
aws-auth
ConfigMap
. -
The access entries for EKS Auto Mode are automatically configured. You can view these access entries, but you cannot modify them.
-
If you use a NodeClass to create a custom Node IAM Role, you need to create an access entry for the role using the AmazonEKSAutoNodePolicy access policy.
-
-
If you want to grant workloads permissions for AWS services, use EKS Pod Identity.
-
You do not need to install the Pod Identity agent on EKS Auto Mode clusters.
-