Is aws-iam-authenticator still needed with EKS?

Server Fault Asked by Giovanni Tirloni on December 22, 2020

I’ve created a cluster (eks.3) through the console and then used aws eks update-config to generate the kubeconfig configuration. I immediately had access to the cluster through kubectl but the EKS user guide talks about aws-iam-authenticator as if it was required. Is this still needed? If not, how is authentication happening after cluster creation?

One Answer

Amazon EKS uses IAM to provide authentication to your Kubernetes cluster[...], but it still relies on native Kubernetes Role Based Access Control (RBAC) for authorization. [...] All permissions for interacting with your Amazon EKS cluster’s Kubernetes API is managed through the native Kubernetes RBAC system. EKS userguide

So you don't necessary need the aws-iam-authenticator. The aws-iam-authenticator maps IAM user and roles to the native Kubernetes Role Based Access Control (RBAC) for authorization. So theoretically it should be possible to just use the RBAC. However the official documentation only refers to IAM authentication. So I would advice to use that as well. I'm not 100% sure if a missing aws-iam-authenticator could cause problems with service based policies. Stuff like granting a pod access to a s3 bucket.

When you create an Amazon EKS cluster, the IAM entity user or role, such as a federated user that creates the cluster, is automatically granted system:masters permissions in the cluster's RBAC configuration. EKS userguide

That is why your user has access to the EKS cluster.

Correct answer by Henrik Pingel on December 22, 2020

Add your own answers!

Related Questions

HAProxy as selective forward proxy and load balancer

1  Asked on December 18, 2021 by brian-sidebotham


IIS URL Rewrite – Redirect root to subfolder

1  Asked on December 16, 2021 by appleoddity


Permission denied in Kannel server

2  Asked on December 16, 2021


Getting timestamp in micro seconds in GKE cluster

1  Asked on December 16, 2021 by nagendra-kumar


Restart apache with monit

3  Asked on December 16, 2021 by user2672052


Azure to Ionos .org domain name transfer

1  Asked on December 13, 2021 by 13bloc


sed replace all tabs and spaces with a single space

4  Asked on December 13, 2021 by zulakis


Single Sign on at Windows 2012 R2 RDS

2  Asked on December 13, 2021 by fips123


rate limiting traffic for internal ip (TC)

1  Asked on December 13, 2021 by johnsongoey


Ask a Question

Get help from others!

© 2022 All rights reserved. Sites we Love: PCI Database, MenuIva, UKBizDB, Menu Kuliner, Sharing RPP