AWS IAM Authenticator enables Kubernetes clusters on AWS to authenticate users using AWS IAM credentials.
A tool to use AWS IAM credentials to authenticate to a Kubernetes cluster
This tool is primarily used by administrators running Kubernetes clusters on AWS to unify cluster access management with existing AWS IAM credentials, eliminating the need for separate Kubernetes credentials. It is also useful for developers building Kubernetes installers on AWS by simplifying the bootstrap process and securely managing initial cluster admin access.
It is recommended to create dedicated IAM roles for Kubernetes users to maintain clear access control and auditability. Pre-generating certificates and kubeconfig files can streamline automated cluster provisioning. Running the Authenticator as a DaemonSet with host networking ensures reliable local communication with the Kubernetes API server. Using AWS IAM for Kubernetes authentication leverages existing AWS security features such as MFA and CloudTrail logging.
Create one or more IAM roles in AWS to identify Kubernetes users
Run the AWS IAM Authenticator server as a DaemonSet on master nodes
Configure the Kubernetes API server to communicate with the Authenticator
Set up kubectl to use Authenticator tokens for authenticationaws iam create-role --role-name KubernetesAdmin --description "Kubernetes administrator role (for AWS IAM Authenticator for Kubernetes)." --assume-role-policy-document "$POLICY" --output text --query 'Role.Arn'
Creates an IAM role named KubernetesAdmin for use with AWS IAM Authenticator.
aws-iam-authenticator init
Pre-generates certificate, key, and kubeconfig files for the Authenticator server to facilitate automated installation.
Run the Authenticator server as a DaemonSet with host networking on master nodes
Deploys the Authenticator server to handle authentication requests locally on each master node.