Skip to content
Common Fate
Docs Granted
Get audited access to RDS databases without a VPN using the Granted RDS Plugin. Learn more here.

EKS

You can use Granted as a kubectl credential plugin to authenticate to EKS clusters. kubectl uses a “kubeconfig” file, which is located at ~/.kube/config by default. To use Granted with EKS, we’ll modify this kubeconfig file.

First, add an entry for your cluster to the kubeconfig file by running

Terminal window
aws eks update-kubeconfig --name <CLUSTER_NAME>

Where <CLUSTER_NAME> is the name of the EKS cluster you’re trying to connect to. This command will add an entry to your kubeconfig file similar to the below:

users:
  - name: arn:aws:eks:ap-southeast-2:123456789012:cluster/<CLUSTER_NAME>
    user:
      exec:
        apiVersion: client.authentication.k8s.io/v1beta1
        args:
          - --region
          - <CLUSTER_REGION>
          - eks
          - get-token
          - --cluster-name
          - <CLUSTER_NAME>
        command: aws
        env: null
        provideClusterInfo: false

Now, modify the exec field of this entry to be the following:

- name: arn:aws:eks:ap-southeast-2:123456789012:cluster/<CLUSTER_NAME>
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
        [
          "<PROFILE_NAME>",
          "--exec",
          "aws --region <CLUSTER_REGION> eks get-token --cluster-name <CLUSTER_NAME>",
        ]
      command: assume
      env:
        - name: GRANTED_QUIET
          value: "true"
        - name: FORCE_NO_ALIAS
          value: "true"
      interactiveMode: IfAvailable
      provideClusterInfo: false

Where <PROFILE_NAME> is the name of the AWS profile to use, <CLUSTER_REGION> is the region the EKS cluster is deployed to, and <CLUSTER_NAME> is the name of the EKS cluster.

Now, run a kubectl command against the cluster to verify the connection:

Terminal window
kubectl get nodes

The command should print the list of nodes for your cluster.