Cluster Access Management API
Overview
EKS Cluster Access API provides programmatic access management without modifying aws-auth ConfigMap.
Enable Access Entry
# Create access entry
aws eks create-access-entry \
--cluster-name my-cluster \
--principal-arn arn:aws:iam::123456789:user/my-user
# List access entries
aws eks list-access-entries \
--cluster-name my-clusterAssociate Access Policy
# Grant cluster admin access
aws eks associate-access-policy \
--cluster-name my-cluster \
--principal-arn arn:aws:iam::123456789:user/my-user \
--policy-arn arn:aws:eks::aws:cluster-access-policy:AmazonEKSClusterAdminAccess Policies
| Policy | Description |
|---|---|
| AmazonEKSClusterAdmin | Full cluster access |
| AmazonEKSAdminView | Read-only cluster access |
| AmazonEKSEdit | Developer access (default) |
| AmazonEKSView | Read-only namespaces |
Configure Kubernetes Access
# Create role binding for IAM user
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: my-user-admin
subjects:
- kind: User
name: my-user
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.ioBenefits
- No direct ConfigMap manipulation
- Audit trail via CloudTrail
- IAM-based access control
- Principals can be users or roles