John Ajera

Posted on Mar 21

Accessing Amazon EKS from a Jumphost using Access Entries

#eks #kubectl #iam #terraform

🔐 How to Access Amazon EKS from a Jumphost (Modern Access Entries Method)

Amazon EKS Access Entries let you assign Kubernetes API permissions to IAM identities without modifying the legacy aws-auth ConfigMap. This guide shows how to set up a jumphost for kubectl access using read-only or admin-view permissions — the modern, secure, and auditable way.

🚀 Overview: What Needs to Be Done

Step	Description
✅ Install tools	Make sure AWS CLI and `kubectl` are available
✅ IAM setup	Grant the jumphost's IAM role minimum required permissions
✅ EKS Access Entry	Attach Kubernetes-level access policies like `AmazonEKSViewPolicy`
✅ Configure kubeconfig	Use AWS CLI to connect `kubectl` to the cluster

📦 Step 1: Install AWS CLI and kubectl

✅ AWS CLI

Pre-installed on Amazon Linux 2 and Amazon Linux 2023
AWS CLI v2 is required for aws eks update-kubeconfig
For others: Install AWS CLI

aws --version

✅ kubectl

Must match your EKS version
Install kubectl

kubectl version --client

🔐 Step 2: IAM Policy for Jumphost Role

The jumphost typically assumes an IAM role automatically if it's an EC2 instance using an instance profile. For non-EC2 environments, the IAM role can be assumed via aws sts assume-role or temporary credentials.

The following permissions allow the role to fetch cluster metadata and authenticate:

data "aws_iam_role" "jumphost" {
  name = var.jumphost_role_name
}

data "aws_region" "current" {}

data "aws_caller_identity" "current" {}

resource "aws_iam_policy" "eks_describe_cluster" {
  name = "EKSDescribeCluster"
  policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Sid    = "DescribeClusterAccess",
        Effect = "Allow",
        Action = ["eks:DescribeCluster"],
        Resource = "arn:aws:eks:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:cluster/${var.cluster_name}"
      },
      {
        Sid    = "ListAssociatedAccessPolicies",
        Effect = "Allow",
        Action = ["eks:ListAssociatedAccessPolicies"],
        Resource = "*"
      }
    ]
  })
}

resource "aws_iam_role_policy_attachment" "jumphost_describe_cluster" {
  role       = data.aws_iam_role.jumphost.name
  policy_arn = aws_iam_policy.eks_describe_cluster.arn
}

This is required to use aws eks update-kubeconfig and mandatory when using access policies like AmazonEKSAdminViewPolicy.

🔧 Step 3: Grant EKS Access via Terraform

EKS Access Entries work without the legacy aws-auth ConfigMap. You no longer need to manage Kubernetes RBAC manually — AWS manages it through access policies.

Use EKS Access Entries and associate them with AWS-managed access policies:

resource "aws_eks_access_entry" "jumphost" {
  cluster_name  = var.eks_cluster_name
  principal_arn = "arn:aws:iam::${var.account_id}:role/${var.jumphost_role_name}"
}

resource "aws_eks_access_policy_association" "view" {
  cluster_name  = var.eks_cluster_name
  principal_arn = aws_eks_access_entry.jumphost.principal_arn
  policy_arn    = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"
}

resource "aws_eks_access_policy_association" "admin_view" {
  cluster_name  = var.eks_cluster_name
  principal_arn = aws_eks_access_entry.jumphost.principal_arn
  policy_arn    = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminViewPolicy"
}

You need both the EKS access policy and the IAM permissions to make this work.

🧪 Step 4: Verify Access from the Jumphost

🔍 1. Check access association

aws eks list-associated-access-policies \
  --cluster-name <cluster-name> \
  --principal-arn arn:aws:iam::<account-id>:role/<jumphost-role>

You should see AmazonEKSViewPolicy or AmazonEKSAdminViewPolicy.

🔧 2. Update kubeconfig

aws eks update-kubeconfig --region <region> --name <cluster-name>

✅ 3. Test read-only `kubectl` access

kubectl get nodes
kubectl get pods -A
kubectl get svc -A
kubectl get events -A
kubectl get deployments -A

✅ Summary

🛠 Tools: AWS CLI + kubectl installed
🔐 IAM Permissions: eks:DescribeCluster, eks:ListAssociatedAccessPolicies
📜 EKS Access Entries: Associated with AmazonEKSViewPolicy or AmazonEKSAdminViewPolicy
⚙️ Tested: Via aws eks update-kubeconfig + kubectl get commands

This approach is clean, auditable, and fully compatible with Terraform. Ditch the manual aws-auth edits — use EKS Access Entries instead. ✅

Built for developers, by developers.

Whether you're building a simple prototype or a business-critical product, Heroku's fully-managed platform gives you the simplest path to delivering apps quickly — using the tools and languages you already love!

Learn More

DEV Community

Accessing Amazon EKS from a Jumphost using Access Entries

🔐 How to Access Amazon EKS from a Jumphost (Modern Access Entries Method)

🚀 Overview: What Needs to Be Done

📦 Step 1: Install AWS CLI and kubectl

✅ AWS CLI

✅ kubectl

🔐 Step 2: IAM Policy for Jumphost Role

🔧 Step 3: Grant EKS Access via Terraform

🧪 Step 4: Verify Access from the Jumphost

🔍 1. Check access association

🔧 2. Update kubeconfig

✅ 3. Test read-only `kubectl` access

✅ Summary

Built for developers, by developers.

Top comments (0)

A Workflow Copilot. Tailored to You.

Okay

🔐 How to Access Amazon EKS from a Jumphost (Modern Access Entries Method)

🚀 Overview: What Needs to Be Done

📦 Step 1: Install AWS CLI and kubectl

✅ AWS CLI

✅ kubectl

🔐 Step 2: IAM Policy for Jumphost Role

🔧 Step 3: Grant EKS Access via Terraform

🧪 Step 4: Verify Access from the Jumphost

🔍 1. Check access association

🔧 2. Update kubeconfig

✅ 3. Test read-only kubectl access

✅ Summary

Built for developers, by developers.

A Workflow Copilot. Tailored to You.

Okay

✅ 3. Test read-only `kubectl` access