Vault auth to access AWS EKS

Is there a way to access AWS EKS using vault authentication?

What do you mean by “access AWS EKS”? EKS is a hosted Kubernetes service so are you asking if it is possible to use the Kubernetes authentication in Vault?

Thanks for responding! I mean access the k8s endpoint via kubectl using some kind of authentication from vault.

I might be wrong here but ECS is the container service – no access to the namespaces and hence no kubernetes auth, you would need to use approle or another auth.

EKS should be still accessible and you have admin access to your namespace which means you should be able to setup an auth connection.

After some researching, I found that I can use AWS Cognito to use as an OIDC provider to authenticate to the cluster.
Thank you guys.

Hi, I manage this also with vault. I have created a role in AWS which has access to EKS and this role, can be granted by AWS created vault role (with the aws engine).

export sts="$(vault read -address=${VAULT_ADDR} aws/creds/AWS_VAULT_ROLE | grep -e access_key -e secret_key -e security_token | awk '{print $2}')" > /dev/null 2>&1

aws configure set aws_access_key_id $(echo $sts | awk '{print$1}') --profile AWS_EKS
aws configure set aws_secret_access_key $(echo $sts | awk '{print$2}') --profile AWS_EKS
aws configure set aws_session_token $(echo $sts | awk '{print$3}') --profile AWS_EKS

aws eks --region ${REGION} update-kubeconfig --name AWS_EKS --alias AWS_EKS --profile AWS_EKS
chmod 600 ${KUBECONFIG}

So any user who can generate credentials in aws engine, is gonna access to the EKS cluster. I manage the authentication in vault with OIDC and Google Gsuite.

Hi ichasco-heytrade, is there a documentation/tutorial where I can follow this? Did you use Vault AWS secrets engine?

First create the AWS engine:

Then, map users in EKS (terraform example):

The role you mapped in EKS has to have permissions to be assumed by vaults one

When you have this, you can use the script from above

1 Like