EKS Dynamic Secrets

You can create an Amazon EKS (Elastic Kubernetes Service) dynamic secret producer to allow users to dynamically receive access tokens to an EKS cluster.


To use an EKS dynamic secret producer, your AWS administrator needs to create an IAM user with the permissions to be given to users. The IAM user itself will serve as the user for each individual connection, with access tokens that will last for 15 minutes.

The IAM user must be part of the aws-auth configmap that is used for authorization to the K8s cluster. The role the service account is attached to in the aws-auth configmap is the same role that tokens from the EKS dynamic secret producer will have.

The IAM user must have at least the following role binding in the underlying Kubernetes RBAC:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
  name: my-cluster-role-binding
  - kind: Group
    name: my-group-name
    apiGroup: rbac.authorization.k8s.io
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator

For more information about Kubernetes RBAC, see here.

Create an EKS Dynamic Secret Producer

  1. In the Akeyless Gateway, select Dynamic Secrets > New > Kubernetes Producer.
  1. Give the producer a name, and define where it should be saved.

  2. From the Kubernetes Engine dropdown list, select Amazon Elastic Kubernetes Service (EKS).

  3. Define the following parameters:

    • Access Key ID: The access key ID of the IAM user to be used to connect to the EKS.
    • Secret Access Key: The secret access key of the IAM user.
    • Region: The region on which the cluster resides.
    • EKS Cluster Name: The cluster name.
    • EKS Cluster URL Endpoint: The URL of the cluster.
    • EKS Cluster CA Certificate: A base64-encoded representation of the cluster CA certificate.
    • IAM Assume Role (optional): The role to assume when connecting with the provided credentials.


The IAM Assume Role is required when the aws-auth configmap is configured to allow the provided IAM user to connect through the mapRoles key.
For more information, see here.

Use an EKS Dynamic Secret with Akeyless CLI

The user needs kubectl installed locally on their machine. The Akeyless CLI is optional but preferable.

The user needs to either download the kubeconfig file directly from the Akeyless Console by selecting the Dynamic Secret item and copying the file from the Dynamic Secret Description, or generate the file manually as follows:

apiVersion: v1
- cluster:
    certificate-authority-data: <base 64 encoding of the cluster's certificate>
    server: <cluster DNS/IP address>
  name: <cluster name>
- context:
    cluster: <cluster name>
    user: <some user name>
  name: <cluster context name>
current-context: <cluster context name>
kind: Config
preferences: {}
- name: <some user name>
      apiVersion: client.authentication.k8s.io/v1alpha1
        - get-dynamic-secret-value
        - --name
        - <dynamic secret item name>
        - --profile
        - <some profile> 
      command: akeyless

For every new EKS cluster, the user must update the kubeconfig file accordingly.

When the user runs kubectl ..., the Akeyless get-dynamic-secret-value command will fetch a new access token for them.

For more general information regarding kubectl and the kubeconfig file, see here.

Use an EKS Dynamic Secret without Akeyless CLI

The user needs to generate the kubeconfig file manually as described above, with the following change:

- name: <some user name>
    token: < Dynamic Secret Value response goes here >

The user can get the dynamic secret value from the Akeyless Console by selecting the Dynamic Secret item and clicking Get Dynamic Secret. They will need to replace < Dynamic Secret Value response goes here > with the response token exactly as they received it.

Did this page help you?