EKS Dynamic Secrets
You can create a dynamic Amazon Elastic Kubernetes Service (EKS) secret to allow users to receive dynamic access tokens to an EKS cluster.
Prerequisites
-
An Akeyless Gateway.
-
AWS IAM principal (role or user).
To use a dynamic EKS secret, you need an IAM principal (e.g. IAM Role or IAM User) with the permissions to be given to users. That IAM principal will serve as the user for each individual connection, with access tokens that will last for 15 minutes.
The IAM principal must be part of the aws-auth
ConfigMap that is used for authorization to the K8s cluster (learn more about using the aws-auth ConfigMap). The K8s role to which the IAM principal in the aws-auth
ConfigMap is bound to will be the same K8s role that tokens generated by the Dynamic EKS secret will get.
The IAM principal must have at least the following role binding in the underlying Kubernetes RBAC:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: my-cluster-role-binding
subjects:
- kind: Group
name: my-group-name
apiGroup: rbac.authorization.k8s.io
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
For more information about Kubernetes RBAC, see the Kubernetes documentation.
Create a Dynamic EKS Secret from the CLI
Note
We recommend using dynamic secrets with Targets. While it saves time for multiple secret-level configurations by not requiring you to provide an inline connection string each time, it is also important for security streamlining. Using a target allows you to rotate credentials without breaking the credential chain for the objects connected to the server used, using inline will force you to go and change the credentials in each individual item instead of just the target.
To create a dynamic EKS secret from the CLI using an existing Target, run the following command:
akeyless dynamic-secret create eks \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--eks-assume-role <Role ARN>
Or using an inline connection string:
akeyless dynamic-secret create akeyless dynamic-secret get-valueeks \
--name <Dynamic Secret Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--eks-assume-role <Role ARN> \
--eks-access-key-id <IAM user Access Key ID> \
--eks-secret-access-key <IAM user secret Access Key> \
--eks-region <EKS cluster region> \
--eks-cluster-name <EKS cluster Name> \
--eks-cluster-endpoint <EKS Cluster endpoint URL> \
--eks-cluster-ca-cert <Base64-encoded EKS cluster CA certificate>
Where:
-
name
: A unique name of the dynamic secret. The name can include the path to the virtual folder where you want to create the new dynamic secret, using slash/
separators. If the folder does not exist, it will be created together with the dynamic secret. -
target-name
: A name of the target that enables connection to the EKS cluster. The name can include the path to the virtual folder where this target resides. -
gateway-url
: Akeyless Gateway Configuration Manager URL (port8000
). -
eks-assume-role
: The role to assume when connecting to the EKS cluster with provided credentials.
Note
The eks-assume-role parameter is required when the
aws-auth
configmap is configured to allow the provided IAM user to connect through themapRoles
key.For more information, see the EKS guide on user roles.
Inline connection string
If you don't have a configured EKS Target yet, you can use the command with an inline connection string:
-
eks-access-key-id
: The access key ID of the IAM user to be used to connect to the EKS. -
eks-secret-access-key
: The secret access key of the IAM user. -
eks-region
: The region in which the EKS cluster resides. -
eks-cluster-name
: The name of the EKS cluster you want to connect to. -
eks-cluster-endpoint
: EKS Cluster endpoint URL. -
eks-cluster-ca-cert
: Base64-encoded EKS cluster CA certificate.
You can find the complete list of parameters for this command in the CLI Reference - Dynamic Secrets section.
Use the EKS Dynamic Secret with the Akeyless CLI
If the Akeyless CLI is installed on the same host as the kubectl
, you can define a kubeconfig
file to automatically run the get-dynamic-secret-value
command and fetch new access tokens as required.
You need to either download the kubeconfig
file directly from the Akeyless Console by selecting the Dynamic Secret item and copying the file from the Dynamic Secret Description, or generate the file manually as follows:
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: <base 64 encoding of the cluster's certificate>
server: <cluster DNS/IP address>
name: <cluster name>
contexts:
- context:
cluster: <cluster name>
user: <some user name>
name: <cluster context name>
current-context: <cluster context name>
kind: Config
preferences: {}
users:
- name: <some user name>
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- get-dynamic-secret-value
- --name
- <dynamic secret item name>
- --profile
- <some profile>
command: akeyless
interactiveMode: IfAvailable
For every new EKS cluster, you must update thekubeconfig
file accordingly.
When you run kubectl
, the Akeyless get-dynamic-secret-value
command will fetch a new access token for you.
For more information regarding kubectl
and the kubeconfig
file, see the kubectl installation manual.
Use a Dynamic EKS Secret with the Akeyless CLI running on a remote host
If the Akeyless CLI is installed on a different host as the kubectl
, you can get a service account token from Akeyless separately, and then manually update the kubeconfig
file that uses the token.
First, let's generate the kubeconfig file manually as described above, with the following change:
users:
- name: <some user name>
user:
token: < Dynamic Secret Value goes here >
To get the dynamic EKS secret value from the CLI, you should run the following command:
akeyless dynamic-secret get-value --name <Path to the dynamic secret>
Then on the kubeconfig you need to replace the <Dynamic Secret Value goes here >
with the response token exactly as you received it.
Updated 4 months ago