EKS

You can use Granted as a kubectl credential plugin to authenticate to EKS clusters. kubectl uses a “kubeconfig” file, which is located at ~/.kube/config by default. To use Granted with EKS, we’ll modify this kubeconfig file.

First, add an entry for your cluster to the kubeconfig file by running

aws eks update-kubeconfig --name <CLUSTER_NAME>

Where <CLUSTER_NAME> is the name of the EKS cluster you’re trying to connect to. This command will add an entry to your kubeconfig file similar to the below:

users:
  - name: arn:aws:eks:ap-southeast-2:123456789012:cluster/<CLUSTER_NAME>
    user:
      exec:
        apiVersion: client.authentication.k8s.io/v1beta1
        args:
          - --region
          - <CLUSTER_REGION>
          - eks
          - get-token
          - --cluster-name
          - <CLUSTER_NAME>
        command: aws
        env: null
        provideClusterInfo: false

Now, modify the exec field of this entry to be the following:

- name: arn:aws:eks:ap-southeast-2:123456789012:cluster/<CLUSTER_NAME>
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
        [
          "<PROFILE_NAME>",
          "--exec",
          "aws --region <CLUSTER_REGION> eks get-token --cluster-name <CLUSTER_NAME>",
        ]
      command: assume
      env:
        - name: GRANTED_QUIET
          value: "true"
        - name: FORCE_NO_ALIAS
          value: "true"
      interactiveMode: IfAvailable
      provideClusterInfo: false

Where <PROFILE_NAME> is the name of the AWS profile to use, <CLUSTER_REGION> is the region the EKS cluster is deployed to, and <CLUSTER_NAME> is the name of the EKS cluster.

Now, run a kubectl command against the cluster to verify the connection:

kubectl get nodes

The command should print the list of nodes for your cluster.