Open in app

Sign up

Sign in

Write

Sign up

Sign in

Dev Genius

Coding, Tutorials, News, UX, UI and much more related to development

Follow publication

Member-only story

Simplified Amazon EKS access management controls

Konstantin Mogilevskii
Dev Genius
Published in
14 min readJun 22, 2024

--

Introduction

Since the initial Amazon Elastic Kubernetes Service (Amazon EKS) launch, it has supported AWS Identity and Access Management (AWS IAM) principals as entities that can authenticate against a cluster. This was done to remove the burden — from administrators — of having to maintain a separate identity provider. Using AWS IAM also allows AWS customers to use their AWS IAM knowledge and experience and enables administrators to use AWS IAM security features, such as AWS CloudTrail audit logging and multi-factor authentication.

Until now, administrators used Amazon EKS APIs to create clusters, then switched to the Kubernetes API to manage mappings of AWS IAM principals and their Kubernetes permissions. This manual and multi-step process complicated the way users were granted access to Amazon EKS clusters. It prevented administrators from revoking cluster-admin [root-like] permissions from the principal that was used to create the cluster. The need to make calls to different APIs (AWS and Kubernetes) to manage access also increased the likelihood of misconfiguration.

Feature Overview

The Amazon EKS team has improved the cluster authentication (AuthN) and authorization (AuthZ) user experience with improved cluster access management controls. Cluster administrators can now grant AWS IAM principals access to all supported versions (v1.23 and beyond) of Amazon EKS clusters and Kubernetes objects directly through Amazon EKS APIs. This new functionality relies on two new concepts: access entries and access policies. An access entry is a cluster identity — directly linked to an AWS IAM principal user or role — that is used to authenticate to an Amazon EKS cluster. An Amazon EKS access policy authorizes an access entry to perform specific cluster actions.

Cluster access management API

The new cluster access management API objects and commands allow administrators to define access management configurations — including during cluster creation — using familiar infrastructure as code (IaC) tools such as AWS CloudFormation, Terraform, or the AWS Cloud Development Kit (CDK).

The improved customer access management controls enable administrators to completely remove or refine the permissions automatically granted to the AWS IAM principal used to create the cluster. If a misconfiguration occurs, then cluster access can be restored…

--

--

Dev Genius
Dev Genius
Follow

Published in Dev Genius

26K Followers
Last published 3 hours ago

Coding, Tutorials, News, UX, UI and much more related to development

Follow
Konstantin Mogilevskii
Konstantin Mogilevskii
Follow

Written by Konstantin Mogilevskii

1K Followers
581 Following

Senior Data Engineer www.linkedin.com/in/kmogilevskii

Follow

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech