EKS Cluster Access Management
Sources
This page is a summary of:
Summary
Allows to manage access to clusters using the AWS API:
- Map AWS identities to pre-defined AWS-managed Kubernetes permissions called "access policies"
- Map AWS identities to specific Kubernetes groups
- Gain visibility on former "shadow administrators"—AWS identities who initially created the EKS cluster—and remove their access
Concepts¶

- When you grant access to an AWS principal on a specific EKS cluster, you create an access entry for that principal
- You can then assign permissions to that principal by mapping the access entry to Kubernetes groups, and/or access policies (an AWS-managed set of Kubernetes permissions)
- You can grant an access policy either at the cluster or namespace level
Interaction with aws-auth ConfigMap¶
The way Cluster Access Management interacts with the aws-auth ConfigMap depends on a cluster-wide setting called the authentication mode.
| Authentication mode | Description |
|---|---|
CONFIG_MAP |
|
API_AND_CONFIG_MAP |
|
API |
|
Switching
Switching across these authentication modes is a one-way operation
- You can switch from
CONFIG_MAPtoAPI_AND_CONFIG_MAPorAPIAPI_AND_CONFIG_MAPtoAPI
- But not the opposite.
Evaluation¶
- When an access entry maps to both managed access policies and Kubernetes groups, effective permissions are the union of both permissions granted through the Kubernetes group and the managed access policy.
