Home / server / Questions / 1043732
Accepted
Giovanni Tirloni
Asked: 2020-11-25 05:01:30 +0800 CST

Is aws-iam-authenticator still needed with EKS?

  • 772

I've created a cluster (eks.3) through the console and then used aws eks update-config to generate the kubeconfig configuration. I immediately had access to the cluster through kubectl but the EKS user guide talks about aws-iam-authenticator as if it was required. Is this still needed? If not, how is authentication happening after cluster creation?

kubernetes amazon-eks

1 Answers

  1. Best Answer

    Amazon EKS uses IAM to provide authentication to your Kubernetes cluster[...], but it still relies on native Kubernetes Role Based Access Control (RBAC) for authorization. [...] All permissions for interacting with your Amazon EKS cluster’s Kubernetes API is managed through the native Kubernetes RBAC system. EKS userguide

    So you don't necessary need the aws-iam-authenticator. The aws-iam-authenticator maps IAM user and roles to the native Kubernetes Role Based Access Control (RBAC) for authorization. So theoretically it should be possible to just use the RBAC. However the official documentation only refers to IAM authentication. So I would advice to use that as well. I'm not 100% sure if a missing aws-iam-authenticator could cause problems with service based policies. Stuff like granting a pod access to a s3 bucket.

    When you create an Amazon EKS cluster, the IAM entity user or role, such as a federated user that creates the cluster, is automatically granted system:masters permissions in the cluster's RBAC configuration. EKS userguide

    That is why your user has access to the EKS cluster.

    • 1