EKS Dynamic Secrets

You can create a dynamic Amazon EKS (Elastic Kubernetes Service) secret to allow users receive dynamically access tokens to an EKS cluster.

Prerequisites

To use a dynamic EKS secret, your AWS administrator needs to create an IAM user with the permissions to be given to users. The IAM user itself will serve as the user for each individual connection, with access tokens that will last for 15 minutes.

The IAM user must be part of the aws-auth configmap that is used for authorization to the K8s cluster. The role to which the service account is attached in the aws-auth configmap is the same role that tokens generated by the dynamic EKS secret will have.

The IAM user must have at least the following role binding in the underlying Kubernetes RBAC:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: my-cluster-role-binding
subjects:
  - kind: Group
    name: my-group-name
    apiGroup: rbac.authorization.k8s.io
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator

For more information about Kubernetes RBAC, see the Kubernetes documentation.

Create a Dynamic EKS Secret from the CLI

πŸ‘

Tip

We recommend using dynamic secrets with Targets. It allows saving time on the secrets' configuration for different types of access levels. Where you are not required to provide an inline connection string each time.

To create a dynamic EKS secret from the CLI using an existing Target, run the following command:

akeyless gateway-create-producer-eks \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--eks-assume-role <Role ARN>

Or using an inline connection string:

akeyless gateway-create-producer-eks \
--name <Dynamic Secret Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--eks-assume-role <Role ARN> \
--eks-access-key-id <IAM user Access Key ID> \
--eks-secret-access-key <IAM user secret Access Key> \
--eks-region <EKS cluster region> \
--eks-cluster-name <EKS cluster Name> \
--eks-cluster-endpoint <EKS Cluster endpoint URL> \
--eks-cluster-ca-cert <Base64-encoded EKS cluster CA certificate>

Where:

  • name: A unique name of the dynamic secret. The name can include the path to the virtual folder where you want to create the new dynamic secret, using slash / separators. If the folder does not exist, it will be created together with the dynamic secret.

  • target-name: A name of the target that enables connection to the EKS cluster. The name can include the path to the virtual folder where this target resides.

  • gateway-url: Akeyless Gateway URL.

  • eks-assume-role: The role to assume when connecting to the EKS cluster with provided credentials.

πŸ“˜

Note

The eks-assume-role parameter is required when the aws-auth configmap is configured to allow the provided IAM user to connect through the mapRoles key.

For more information, see the EKS guide on user roles.

Inline connection strings

If you don't have a configured EKS Target yet, you can use the command with an inline connection string:

  • eks-access-key-id: The access key ID of the IAM user to be used to connect to the EKS.

  • eks-secret-access-key: The secret access key of the IAM user.

  • eks-region: The region in which the EKS cluster resides.

  • eks-cluster-name: The name of the EKS cluster you want to connect to.

  • eks-cluster-endpoint: EKS Cluster endpoint URL.

  • eks-cluster-ca-cert: Base64-encoded EKS cluster CA certificate.

You can find the complete list of parameters for this command in the CLI Reference - Akeyless Producers section.

Use the EKS Dynamic Secret with the Akeyless CLI

If the Akeyless CLI is installed on the same host as the kubectl, you can define a kubeconfig file to automatically run the get-dynamic-secret-value command and fetch new access tokens as required.

You need to either download the kubeconfig file directly from the Akeyless Console by selecting the Dynamic Secret item and copying the file from the Dynamic Secret Description, or generate the file manually as follows:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: <base 64 encoding of the cluster's certificate>
    server: <cluster DNS/IP address>
  name: <cluster name>
contexts:
- context:
    cluster: <cluster name>
    user: <some user name>
  name: <cluster context name>
current-context: <cluster context name>
kind: Config
preferences: {}
users:
- name: <some user name>
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
        - get-dynamic-secret-value
        - --name
        - <dynamic secret item name>
        - --profile
        - <some profile> 
      command: akeyless

For every new EKS cluster, you must update the kubeconfig file accordingly.

When you run kubectl ..., the Akeyless get-dynamic-secret-value command will fetch a new access token for you.

For more information regarding kubectl and the kubeconfig file, see the kubectl installation manual.

Use a Dynamic EKS Secret with the Akeyless CLI running on a remote host

If the Akeyless CLI is installed on a different host as the kubectl, you can get a service account token from Akeyless separately, and then manually update the kubeconfig file that uses the token.

First, let's generate the kubeconfig file manually as described above, with the following change:

users:
- name: <some user name>
  user:
    token: < Dynamic Secret Value goes here >

To get the dynamic EKS secret value from the CLI, you should run the following command:

akeyless get-dynamic-secret-value --name <Path to the dynamic secret>

Then you need to replace < Dynamic Secret Value goes here > with the response token exactly as you received it.