Accessing Amazon EKS from a Jumphost using Access Entries

🔐 How to Access Amazon EKS from a Jumphost (Modern Access Entries Method)

Amazon EKS Access Entries let you assign Kubernetes API permissions to IAM identities without modifying the legacy aws-auth ConfigMap. This guide shows how to set up a jumphost for kubectl access using read-only or admin-view permissions — the modern, secure, and auditable way.

🚀 Overview: What Needs to Be Done

📦 Step 1: Install AWS CLI and kubectl

✅ AWS CLI

• Pre-installed on Amazon Linux 2 and Amazon Linux 2023
• AWS CLI v2 is required for aws eks update-kubeconfig
• For others: Install AWS CLI

aws --version 

✅ kubectl

• Must match your EKS version
• Install kubectl

kubectl version --client 

🔐 Step 2: IAM Policy for Jumphost Role

The jumphost typically assumes an IAM role automatically if it's an EC2 instance using an instance profile. For non-EC2 environments, the IAM role can be assumed via aws sts assume-role or temporary credentials.

The following permissions allow the role to fetch cluster metadata and authenticate:

data "aws_iam_role" "jumphost" { name = var.jumphost_role_name } data "aws_region" "current" {} data "aws_caller_identity" "current" {} resource "aws_iam_policy" "eks_describe_cluster" { name = "EKSDescribeCluster" policy = jsonencode({ Version = "2012-10-17", Statement = [ { Sid = "DescribeClusterAccess", Effect = "Allow", Action = ["eks:DescribeCluster"], Resource = "arn:aws:eks:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:cluster/${var.cluster_name}" }, { Sid = "ListAssociatedAccessPolicies", Effect = "Allow", Action = ["eks:ListAssociatedAccessPolicies"], Resource = "*" } ] }) } resource "aws_iam_role_policy_attachment" "jumphost_describe_cluster" { role = data.aws_iam_role.jumphost.name policy_arn = aws_iam_policy.eks_describe_cluster.arn } 

This is required to use aws eks update-kubeconfig and mandatory when using access policies like AmazonEKSAdminViewPolicy.

🔧 Step 3: Grant EKS Access via Terraform

EKS Access Entries work without the legacy aws-auth ConfigMap. You no longer need to manage Kubernetes RBAC manually — AWS manages it through access policies.

Use EKS Access Entries and associate them with AWS-managed access policies:

resource "aws_eks_access_entry" "jumphost" { cluster_name = var.eks_cluster_name principal_arn = "arn:aws:iam::${var.account_id}:role/${var.jumphost_role_name}" } resource "aws_eks_access_policy_association" "view" { cluster_name = var.eks_cluster_name principal_arn = aws_eks_access_entry.jumphost.principal_arn policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy" } resource "aws_eks_access_policy_association" "admin_view" { cluster_name = var.eks_cluster_name principal_arn = aws_eks_access_entry.jumphost.principal_arn policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminViewPolicy" } 

You need both the EKS access policy and the IAM permissions to make this work.

🧪 Step 4: Verify Access from the Jumphost

🔍 1. Check access association

aws eks list-associated-access-policies \ --cluster-name <cluster-name> \ --principal-arn arn:aws:iam::<account-id>:role/<jumphost-role> 

You should see AmazonEKSViewPolicy or AmazonEKSAdminViewPolicy.

🔧 2. Update kubeconfig

aws eks update-kubeconfig --region <region> --name <cluster-name> 

✅ 3. Test read-only kubectl access

kubectl get nodes kubectl get pods -A kubectl get svc -A kubectl get events -A kubectl get deployments -A 

✅ Summary

• 🛠 Tools: AWS CLI + kubectl installed
• 🔐 IAM Permissions: eks:DescribeCluster, eks:ListAssociatedAccessPolicies
• 📜 EKS Access Entries: Associated with AmazonEKSViewPolicy or AmazonEKSAdminViewPolicy
• ⚙️ Tested: Via aws eks update-kubeconfig + kubectl get commands

This approach is clean, auditable, and fully compatible with Terraform. Ditch the manual aws-auth edits — use EKS Access Entries instead. ✅