Help improve this page
Want to contribute to this user guide? Scroll to the bottom of this page and select Edit this page on GitHub. Your contributions will help make our user guide better for everyone.
Create access entries
Considerations
Before creating access entries, consider the following:
-
A properly set authentication mode. See Change authentication mode to use access entries.
-
An access entry includes the Amazon Resource Name (ARN) of one, and only one, existing IAM principal. An IAM principal can't be included in more than one access entry. Additional considerations for the ARN that you specify:
-
IAM best practices recommend accessing your cluster using IAM roles that have short-term credentials, rather than IAM users that have long-term credentials. For more information, see Require human users to use federation with an identity provider to access AWS using temporary credentials in the IAM User Guide.
-
If the ARN is for an IAM role, it can include a path. ARNs in
aws-auth
ConfigMap
entries, can't include a path. For example, your ARN can bearn:aws:iam::
or111122223333
:role/development/apps/
my-role
arn:aws:iam::
.111122223333
:role/my-role
-
If the type of the access entry is anything other than
STANDARD
(see next consideration about types), the ARN must be in the same AWS account that your cluster is in. If the type isSTANDARD
, the ARN can be in the same, or different, AWS account than the account that your cluster is in. -
You can't change the IAM principal after the access entry is created.
-
If you ever delete the IAM principal with this ARN, the access entry isn't automatically deleted. We recommend that you delete the access entry with an ARN for an IAM principal that you delete. If you don't delete the access entry and ever recreate the IAM principal, even if it has the same ARN, the access entry won't work. This is because even though the ARN is the same for the recreated IAM principal, the
roleID
oruserID
(you can see this with theaws sts get-caller-identity
AWS CLI command) is different for the recreated IAM principal than it was for the original IAM principal. Even though you don't see the IAM principal'sroleID
oruserID
for an access entry, Amazon EKS stores it with the access entry.
-
-
Each access entry has a type. You can specify
EC2 Linux
(for an IAM role used with Linux or Bottlerocket self-managed nodes),EC2 Windows
(for an IAM roles used with Windows self-managed nodes),FARGATE_LINUX
(for an IAM roles used with AWS Fargate (Fargate)), orSTANDARD
as a type. If you don't specify a type, Amazon EKS automatically sets the type toSTANDARD
. It's unnecessary to create an access entry for an IAM role that's used for a managed node group or a Fargate profile, because Amazon EKS adds entries for these roles to theaws-auth
ConfigMap
, regardless of which platform version your cluster is at.You can't change the type after the access entry is created.
-
If the type of the access entry is
STANDARD
, you can specify a username for the access entry. If you don't specify a value for username, Amazon EKS sets one of the following values for you, depending on the type of the access entry and whether the IAM principal that you specified is an IAM role or IAM user. Unless you have a specific reason for specifying your own username, we recommend that don't specify one and let Amazon EKS auto-generate it for you. If you specify your own username:-
It can't start with
system:
,eks:
,aws:
,amazon:
, oriam:
. -
If the username is for an IAM role, we recommend that you add
{{SessionName}}
to the end of your username. If you add{{SessionName}}
to your username, the username must include a colon before {{SessionName}}. When this role is assumed, the name of the session specified when assuming the role is automatically passed to the cluster and will appear in CloudTrail logs. For example, you can't have a username ofjohn{{SessionName}}
. The username would have to be:john{{SessionName}}
orjo:hn{{SessionName}}
. The colon only has to be before{{SessionName}}
. The username generated by Amazon EKS in the following table includes an ARN. Since an ARN includes colons, it meets this requirement. The colon isn't required if you don't include{{SessionName}}
in your username.
IAM principal type Type Username value that Amazon EKS automatically sets User STANDARD
The ARN of the user. Example:
arn:aws:iam::
111122223333
:user/my-user
Role STANDARD
The STS ARN of the role when it's assumed. Amazon EKS appends
{{SessionName}}
to the role.Example:
arn:aws:sts::
111122223333
:assumed-role/my-role
/{{SessionName}}If the ARN of the role that you specified contained a path, Amazon EKS removes it in the generated username.
Role EC2 Linux
orEC2 Windows
system:node:{{EC2PrivateDNSName}}
Role FARGATE_LINUX
system:node:{{SessionName}}
You can change the username after the access entry is created.
-
-
If an access entry's type is
STANDARD
, and you want to use Kubernetes RBAC authorization, you can add one or more group names to the access entry. After you create an access entry you can add and remove group names. For the IAM principal to have access to Kubernetes objects on your cluster, you must create and manage Kubernetes role-based authorization (RBAC) objects. Create KubernetesRoleBinding
orClusterRoleBinding
objects on your cluster that specify the group name as asubject
forkind: Group
. Kubernetes authorizes the IAM principal access to any cluster objects that you've specified in a KubernetesRole
orClusterRole
object that you've also specified in your binding'sroleRef
. If you specify group names, we recommend that you're familiar with the Kubernetes role-based authorization (RBAC) objects. For more information, see Using RBAC Authorizationin the Kubernetes documentation. Important
Amazon EKS doesn't confirm that any Kubernetes RBAC objects that exist on your cluster include any of the group names that you specify.
Instead of, or in addition to, Kubernetes authorizing the IAM principal access to Kubernetes objects on your cluster, you can associate Amazon EKS access policies to an access entry. Amazon EKS authorizes IAM principals to access Kubernetes objects on your cluster with the permissions in the access policy. You can scope an access policy's permissions to Kubernetes namespaces that you specify. Use of access policies don't require you to manage Kubernetes RBAC objects. For more information, see Associate access policies with access entries.
-
If you create an access entry with type
EC2 Linux
orEC2 Windows
, the IAM principal creating the access entry must have theiam:PassRole
permission. For more information, see Granting a user permissions to pass a role to an AWS service in the IAM User Guide. -
Similar to standard IAM behavior, access entry creation and updates are eventually consistent, and may take several seconds to be effective after the initial API call returns successfully. You must design your applications to account for these potential delays. We recommend that you don't include access entry creates or updates in the critical, high- availability code paths of your application. Instead, make changes in a separate initialization or setup routine that you run less frequently. Also, be sure to verify that the changes have been propagated before production workflows depend on them.
-
Access entries do not support service linked roles. You cannot create access entries where the principal ARN is a service linked role. You can identify service linked roles by their ARN, which is in the format
arn:aws:iam::*:role/aws-service-role/*
.
You can create an access entry using the AWS Management Console or the AWS CLI.