EKS Dynamic Secrets

You can create a dynamic Amazon EKS (Elastic Kubernetes Service) secret to allow users receive dynamically access tokens to an EKS cluster.

Prerequisites

To use a dynamic EKS secret, your AWS administrator needs to create an IAM user with the permissions to be given to users. The IAM user itself will serve as the user for each individual connection, with access tokens that will last for 15 minutes.

The IAM user must be part of the aws-auth configmap that is used for authorization to the K8s cluster. The role to which the service account is attached in the aws-auth configmap is the same role that tokens generated by the dynamic EKS secret will have.

The IAM user must have at least the following role binding in the underlying Kubernetes RBAC:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: my-cluster-role-binding
subjects:
  - kind: Group
    name: my-group-name
    apiGroup: rbac.authorization.k8s.io
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator

For more information about Kubernetes RBAC, see the Kubernetes documentation.

Create a Dynamic EKS Secret from the CLI

👍

Tip

To set up a dynamic secret, you can either configure a connection to the target server first or provide all parameters of the target server in the secret creation command.

We recommend using dynamic secrets together with targets. It allows saving time on the secrets' configuration. To enable this flow, you must ensure that the user responsible for creating dynamic secrets has permission to access or create targets.

To create a dynamic EKS secret from the CLI using the existing target, run the following command:

akeyless gateway-create-producer-eks \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--eks-assume-role <Role ARN>

Where:

  • name: A unique name of the dynamic secret. The name can include the path to the virtual folder where you want to create the new dynamic secret, using slash / separators. If the folder does not exist, it will be created together with the dynamic secret.

  • target-name: A name of the target that enables connection to the EKS cluster. The name can include the path to the virtual folder where this target resides.

  • gateway-url: API Gateway URL.

  • eks-assume-role: The role to assume when connecting to the EKS cluster with provided credentials.

📘

Note

The eks-assume-role parameter is required when the aws-auth configmap is configured to allow the provided IAM user to connect through the mapRoles key.

For more information, see the EKS guide on user roles.

If you don't have a configured EKS target yet, you can use the command with target server connection parameters:

akeyless gateway-create-producer-eks \
--name <Dynamic Secret Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--eks-assume-role <Role ARN> \
--eks-access-key-id <IAM user Access Key ID> \
--eks-secret-access-key <IAM user secret Access Key> \
--eks-region <EKS cluster region> \
--eks-cluster-name <EKS cluster Name> \
--eks-cluster-endpoint <EKS Cluster endpoint URL> \
--eks-cluster-ca-cert <Base64-encoded EKS cluster CA certificate>

Where:

  • eks-access-key-id: The access key ID of the IAM user to be used to connect to the EKS.

  • eks-secret-access-key: The secret access key of the IAM user.

  • eks-region: The region in which the EKS cluster resides.

  • eks-cluster-name: The name of the EKS cluster you want to connect to.

  • eks-cluster-endpoint: EKS Cluster endpoint URL.

  • eks-cluster-ca-cert: Base64-encoded EKS cluster CA certificate.

You can find the complete list of parameters for this command in the CLI Reference - Akeyless Producers section.

Use the EKS Dynamic Secret with the Akeyless CLI

If the Akeyless CLI is installed on the same host as the kubectl, you can define a kubeconfig file to automatically run the get-dynamic-secret-value command and fetch new access tokens as required.

You need to either download the kubeconfig file directly from the Akeyless Console by selecting the Dynamic Secret item and copying the file from the Dynamic Secret Description, or generate the file manually as follows:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: <base 64 encoding of the cluster's certificate>
    server: <cluster DNS/IP address>
  name: <cluster name>
contexts:
- context:
    cluster: <cluster name>
    user: <some user name>
  name: <cluster context name>
current-context: <cluster context name>
kind: Config
preferences: {}
users:
- name: <some user name>
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
        - get-dynamic-secret-value
        - --name
        - <dynamic secret item name>
        - --profile
        - <some profile> 
      command: akeyless

For every new EKS cluster, you must update the kubeconfig file accordingly.

When you run kubectl ..., the Akeyless get-dynamic-secret-value command will fetch a new access token for you.

For more information regarding kubectl and the kubeconfig file, see the kubectl installation manual.

Use the EKS Dynamic Secret without the Akeyless CLI

If the Akeyless CLI is installed on a different host as the kubectl, you can get a service account token from Akeyless separately, and then manually update the kubeconfig file that uses the token.

First, let's generate the kubeconfig file manually as described above, with the following change:

users:
- name: <some user name>
  user:
    token: < Dynamic Secret Value goes here >

To get the dynamic EKS secret value from the CLI, you should run the following command:

akeyless get-dynamic-secret-value --name <Path to the dynamic secret>

Then you need to replace < Dynamic Secret Value goes here > with the response token exactly as you received it.

👍

Tip

Working with dynamic secrets from the CLI is not the only available option.

To start working with dynamic secrets from the Akeyless Console, you need to configure the Gateway URL thus enabling communication between the Akeyless SaaS and the Akeyless Gateway.

To create and fetch dynamic secrets directly from the Akeyless Gateway, you can use the Gateway Configuration Manager.


Did this page help you?