EKS Webhook Token Authentication

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.




EKS has native support for bearer tokens and webhook token authentication. The bearer token is the only piece of information that carries the identity of the caller to the Kubernetes server. It consists of a pre-signed URL that includes an Amazon credential and signature.

For more details:


Generate a Token

For the current IAM User, associated with the current AWS_PROFILE:

aws eks get-token --cluster <cluster-name>

For an arbitrary IAM role:

aws eks get-token --cluster <cluster-name> --role <role-arn>

Mapping the IAM Identity back to Kubernetes Identity

Allowing Additional Users to Access the Cluster