Learn how access control works in Amazon EKS - Amazon EKS
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Help improve this page

Want to contribute to this user guide? Choose the Edit this page on GitHub link that is located in the right pane of every page. Your contributions will help make our user guide better for everyone.

Learn how access control works in Amazon EKS

Learn how to manage access to your Amazon EKS cluster. Using Amazon EKS requires knowledge of how both Kubernetes and Amazon Identity and Access Management (Amazon IAM) handle access control.

This section includes:

Grant IAM users and roles access to Kubernetes APIs  — Learn how to enable applications or users to authenticate to the Kubernetes API. You can use access entries, the aws-auth ConfigMap, or an external OIDC provider.

View Kubernetes resources in the Amazon Web Services Management Console  — Learn how to configure the Amazon Web Services Management Console to communicate with your Amazon EKS cluster. Use the console to view Kubernetes resources in the cluster, such as namespaces, nodes, and Pods.

Connect kubectl to an EKS cluster by creating a kubeconfig file  — Learn how to configure kubectl to communicate with your Amazon EKS cluster. Use the Amazon CLI to create a kubeconfig file.

Grant Kubernetes workloads access to Amazon using Kubernetes Service Accounts  — Learn how to associate a Kubernetes service account with Amazon IAM Roles. You can use Pod Identity or IAM Roles for Service Accounts (IRSA).

Common Tasks

  • Grant developers access to the Kubernetes API. View Kubernetes resources in the Amazon Web Services Management Console.

    • Solution: Use access entries to associate Kubernetes RBAC permissions with Amazon IAM Users or Roles.

  • Configure kubectl to talk to an Amazon EKS cluster using Amazon Credentials.

  • Use an external identity provider, such as Ping Identity, to authenticate users to the Kubernetes API.

  • Grant workloads on your Kubernetes cluster the ability to call Amazon APIs.

    • Solution: Use Pod Identity to associate an Amazon IAM Role to a Kubernetes Service Account.

Background

Considerations for EKS Auto Mode

EKS Auto Mode integrates with EKS Pod Identity and EKS EKS access entries.

  • EKS Auto Mode uses access entries to grant the EKS control plane Kubernetes permissions. For example, the access policies enable EKS Auto Mode to read information about network endpoints and services.

    • You cannot disable access entries on an EKS Auto Mode cluster.

    • You can optionally enable the aws-auth ConfigMap.

    • The access entries for EKS Auto Mode are automatically configured. You can view these access entries, but you cannot modify them.

    • If you use a NodeClass to create a custom Node IAM Role, you need to create an access entry for the role using the AmazonEKSAutoNodePolicy access policy.

  • If you want to grant workloads permissions for Amazon services, use EKS Pod Identity.

    • You do not need to install the Pod Identity agent on EKS Auto Mode clusters.