EKS Webhook Token Authentication: Difference between revisions
Jump to navigation
Jump to search
| Line 10: | Line 10: | ||
EKS has native support for bearer tokens and [[Kubernetes_Security_Concepts#Bearer_Tokens|bearer tokens]] and [[Kubernetes_Security_Concepts#Webhook_Token_Authentication|webhook token authentication]]. The bearer token is the only piece of information that carries the identity of the caller to the Kubernetes server. It consists of a pre-signed URL that includes an Amazon credential and signature. | EKS has native support for bearer tokens and [[Kubernetes_Security_Concepts#Bearer_Tokens|bearer tokens]] and [[Kubernetes_Security_Concepts#Webhook_Token_Authentication|webhook token authentication]]. The bearer token is the only piece of information that carries the identity of the caller to the Kubernetes server. It consists of a pre-signed URL that includes an Amazon credential and signature. | ||
For more details: {{External|https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html}} | For more details: | ||
{{External|https://aws.github.io/aws-eks-best-practices/iam/#controlling-access-to-eks-clusters}} | |||
{{External|https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html}} | |||
=Generate a Token= | =Generate a Token= | ||
Revision as of 01:21, 2 October 2020
External
Internal
Overview
EKS has native support for bearer tokens and bearer tokens and webhook token authentication. The bearer token is the only piece of information that carries the identity of the caller to the Kubernetes server. It consists of a pre-signed URL that includes an Amazon credential and signature.
For more details:
Generate a Token
For the current IAM User, associated with the current AWS_PROFILE:
aws eks get-token --cluster <cluster-name>
For an arbitrary IAM role:
aws eks get-token --cluster <cluster-name> --role <role-arn>