Grant IAM users access to Kubernetes with EKS access entries - Amazon EKS

Help improve this page

Want to contribute to this user guide? Scroll to the bottom of this page and select Edit this page on GitHub. Your contributions will help make our user guide better for everyone.

Grant IAM users access to Kubernetes with EKS access entries

Prerequisites

  • Familiarity with cluster access options for your Amazon EKS cluster. For more information, see Grant IAM users and roles access to Kubernetes APIs.

  • An existing Amazon EKS cluster. To deploy one, see Get started with Amazon EKS. To use access entries and change the authentication mode of a cluster, the cluster must have a platform version that is the same or later than the version listed in the following table, or a Kubernetes version that is later than the versions listed in the table.

    Kubernetes version Platform version
    1.30 eks.2
    1.29 eks.1
    1.28 eks.6
    1.27 eks.10
    1.26 eks.11
    1.25 eks.12
    1.24 eks.15
    1.23 eks.17

    You can check your current Kubernetes and platform version by replacing my-cluster in the following command with the name of your cluster and then running the modified command: aws eks describe-cluster --name my-cluster --query 'cluster.{"Kubernetes Version": version, "Platform Version": platformVersion}'.

    Important

    After Amazon EKS updates your cluster to the platform version listed in the table, Amazon EKS creates an access entry with administrator permissions to the cluster for the IAM principal that originally created the cluster. If you don't want that IAM principal to have administrator permissions to the cluster, remove the access entry that Amazon EKS created.

    For clusters with platform versions that are earlier than those listed in the previous table, the cluster creator is always a cluster administrator. It's not possible to remove cluster administrator permissions from the IAM user or role that created the cluster.

  • An IAM principal with the following permissions for your cluster: CreateAccessEntry, ListAccessEntries, DescribeAccessEntry, DeleteAccessEntry, and UpdateAccessEntry. For more information about Amazon EKS permissions, see Actions defined by Amazon Elastic Kubernetes Service in the Service Authorization Reference.

  • An existing IAM principal to create an access entry for, or an existing access entry to update or delete.