Grant IAM users and roles access to Kubernetes APIs
Your cluster has an Kubernetes API endpoint. Kubectl uses this API. You can authenticate to this API using two types of identities:
-
An AWS Identity and Access Management (IAM) principal (role or user) – This type requires authentication to IAM. Users can sign in to AWS as an IAM user or with a federated identity
by using credentials provided through an identity source. Users can only sign in with a federated identity if your administrator previously set up identity federation using IAM roles. When users access AWS by using federation, they’re indirectly assuming a role. When users use this type of identity, you: -
Can assign them Kubernetes permissions so that they can work with Kubernetes objects on your cluster. For more information about how to assign permissions to your IAM principals so that they’re able to access Kubernetes objects on your cluster, see Grant IAM users access to Kubernetes with EKS access entries.
-
Can assign them IAM permissions so that they can work with your Amazon EKS cluster and its resources using the Amazon EKS API, AWS CLI, AWS CloudFormation, AWS Management Console, or
eksctl
. For more information, see Actions defined by Amazon Elastic Kubernetes Service in the Service Authorization Reference. -
Nodes join your cluster by assuming an IAM role. The ability to access your cluster using IAM principals is provided by the AWS IAM Authenticator for Kubernetes
, which runs on the Amazon EKS control plane.
-
-
A user in your own OpenID Connect (OIDC) provider – This type requires authentication to your OIDC
provider. For more information about setting up your own OIDC provider with your Amazon EKS cluster, see Grant users access to Kubernetes with an external OIDC provider. When users use this type of identity, you: -
Can assign them Kubernetes permissions so that they can work with Kubernetes objects on your cluster.
-
Can’t assign them IAM permissions so that they can work with your Amazon EKS cluster and its resources using the Amazon EKS API, AWS CLI, AWS CloudFormation, AWS Management Console, or
eksctl
.
-
You can use both types of identities with your cluster. The IAM authentication method cannot be disabled. The OIDC authentication method is optional.
Associate IAM Identities with Kubernetes Permissions
The AWS IAM Authenticator for Kubernetes
-
Creating access entries – If your cluster is at or later than the platform version listed in the Prerequisites section for your cluster’s Kubernetes version, we recommend that you use this option.
Use access entries to manage the Kubernetes permissions of IAM principals from outside the cluster. You can add and manage access to the cluster by using the EKS API, AWS Command Line Interface, AWS SDKs, AWS CloudFormation, and AWS Management Console. This means you can manage users with the same tools that you created the cluster with.
To get started, follow Change authentication mode to use access entries, then Migrating existing aws-auth ConfigMap entries to access entries.
-
Adding entries to the
aws-auth
ConfigMap
– If your cluster’s platform version is earlier than the version listed in the Prerequisites section, then you must use this option. If your cluster’s platform version is at or later than the platform version listed in the Prerequisites section for your cluster’s Kubernetes version, and you’ve added entries to theConfigMap
, then we recommend that you migrate those entries to access entries. You can’t migrate entries that Amazon EKS added to theConfigMap
however, such as entries for IAM roles used with managed node groups or Fargate profiles. For more information, see Grant IAM users and roles access to Kubernetes APIs.-
If you have to use the
aws-auth
ConfigMap
option, you can add entries to theConfigMap
using theeksctl create iamidentitymapping
command. For more information, see Manage IAM users and rolesin the eksctl
documentation.
-
Set Cluster Authentication Mode
Each cluster has an authentication mode. The authentication mode determines which methods you can use to allow IAM principals to access Kubernetes objects on your cluster. There are three authentication modes.
Important
Once the access entry method is enabled, it cannot be disabled.
If the ConfigMap
method is not enabled during cluster creation, it cannot be enabled later. All clusters created before the introduction of access entries have the ConfigMap
method enabled.
If you are using hybrid nodes with your cluster, you must use the API
or API_AND_CONFIG_MAP
cluster authentication modes.
-
The
aws-auth
ConfigMap
inside the cluster -
This is the original authentication mode for Amazon EKS clusters. The IAM principal that created the cluster is the initial user that can access the cluster by using
kubectl
. The initial user must add other users to the list in theaws-auth
ConfigMap
and assign permissions that affect the other users within the cluster. These other users can’t manage or remove the initial user, as there isn’t an entry in theConfigMap
to manage. -
Both the
ConfigMap
and access entries -
With this authentication mode, you can use both methods to add IAM principals to the cluster. Note that each method stores separate entries; for example, if you add an access entry from the AWS CLI, the
aws-auth
ConfigMap
is not updated. - Access entries only
-
With this authentication mode, you can use the EKS API, AWS Command Line Interface, AWS SDKs, AWS CloudFormation, and AWS Management Console to manage access to the cluster for IAM principals.
Each access entry has a type and you can use the combination of an access scope to limit the principal to a specific namespace and an access policy to set preconfigured reusable permissions policies. Alternatively, you can use the STANDARD type and Kubernetes RBAC groups to assign custom permissions.
Authentication mode | Methods |
---|---|
|
|
EKS API and |
access entries in the EKS API, AWS Command Line Interface, AWS SDKs, AWS CloudFormation, and AWS Management Console and |
EKS API only ( |
access entries in the EKS API, AWS Command Line Interface, AWS SDKs, AWS CloudFormation, and AWS Management Console |
Note
Amazon EKS Auto Mode requires Access entries.