Access Entries is a new method to access EKS cluster introduced in 2023 (See announcement), as an alternative and replacement to the existing aws-auth configmap.
- vpc.tf: Base instrastructure for the EKS Cluster (VPC, Security Group, NAT Gateway...)
- eks.tf: EKS Cluster v1.29, managed node group, and Access Entries
- iam.tf: IAM Role associated with the Access Entries
-
In the EKS Console, go to "Access" -> "IAM access entries"
There should be an entry for the role "access-entries-admin-role" and attached with "AmazonEKSClusterAdminPolicy" -
Use this Role to access the cluster locally
a. Assume Role in to the Access Entries' Role
(Find the<Role ARN>value from Terraform Output:iam_role)aws sts assume-role --role-arn "<Role ARN>" --role-session-name AWSCLI-SessionOutput:
{ "Credentials": { "AccessKeyId": "...", "SecretAccessKey": "...", "SessionToken": "...", ... }, ... }b. Use the AWS Credential above and set environemnt variables
export AWS_ACCESS_KEY_ID=<AccessKeyId> export AWS_SECRET_ACCESS_KEY=<SecretAccessKey> export AWS_SESSION_TOKEN=<SessionToken>
Verify the Assume-Role
aws sts get-caller-identity
The output should show similar to below, it indicate a successful assume role setting
{ "UserId": "...:AWSCLI-Session" "Account": "...", "Arn": "arn:...:sts::...:assumed-role/access-entries-admin-role/AWSCLI-Session" }c. Get the EKS kubeconfig
aws eks --region <us-east-1> update-kubeconfig --name access-entries
d. Try access the cluster
kubectl get all -A
Something should shows up!
Please refer to Terraform.md
This sample is tested in the following region(s)
- us-east-1
- cn-north-1