Integrate with EKS

Create an integration to manage access to a Kubernetes cluster on AWS

With Elastic Kubernetes Service (EKS) on AWS, EKS simplifies the management complexities of Kubernetes.

Through this integration, Apono helps you securely manage access to your AWS Elastic Kubernetes cluster.

Prerequisites

Item

Description

Apono Connector

Apono Premium

Cluster Admin Access

EKS Cluster Name

AWS SSO | SAML Federation

Authentication for requester Security Assertion Markup Language (SAML) federation for authentication can be provided by providers such as Okta, Onelogin, Jumpcloud, and Ping Identity.

Configure user authentication

Authentication can be completed with an Identity and Access Management IAM user or an IAM role. To grant a user access to an EKS cluster, the IAM user or IAM role must be mapped with a specific user identifier, such as an email address.Apono supports this mapping with an IAM role through AWS SSO or SAML federation from any identity provider (IdP).

Create a new policy

Follow these steps to create a new policy:

Under Access management on the Identity and Access Management (IAM) page in AWS, click Policies > Create policy. The Specify permission page appears.
Click JSON.

Replace the default policy with the following policy. Be sure to replace the placeholder.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "eks:DescribeCluster",
            "Resource": "arn:aws:eks:*:<AWS_ACCOUNT_ID>:cluster/*"
        }
    ]
}

Placeholder

Description

<AWS_ACCOUNT_ID>

AWS account ID where the EKS is hosted

Click Next. The Review and create page appears.
Enter a Policy name. This name is used to identify this policy.
Click Create policy.

Create the IAM role

Follow these steps to create the IAM role:

Under Access management on the Identity and Access Management (IAM) page in AWS, click Roles > Create role. The Select trusted entity page appears.
Under Trusted entity type, select Custom trust policy.
Under Custom trust policy, replace the default policy with one of the following trust policies. Be sure to replace the placeholders.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "sts:RoleSessionName": "${SAML:sub}"
                },
                "ArnLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::<AWS_ACCOUNT_ID>:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*",
                        "arn:aws:iam::<AWS_ACCOUNT_ID>:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_*"
                    ]
                }
            }
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:saml-provider/<SAML_PROVIDER>"
            },
            "Action": "sts:AssumeRoleWithSAML",
            "Condition": {
                "StringEquals": {
                    "SAML:aud": "https://signin.aws.amazon.com/saml"
                }
            }
        }
    ]
}

Placeholder

Description

<AWS_ACCOUNT_ID>

AWS account ID where the EKS is hosted

<SAML_PROVIDER>

Identity provider name

Click Next. The Add permissions page appears.
Under Permissions policies, select the newly created policy.
Click Next. The Name, review, and create page appears.
For the Role name, enter apono-k8s-access.
For the Description, enter required for k8s access managed by Apono.
Click Create role.

If an Overly permission trust policy popup window appears, click Continue.

Authenticate the EKS cluster

Now that the IAM role has been created, you must authenticate the EKS cluster with the ConfigMap or EKS API.

Read Apply the aws-auth ConfigMap to your cluster to learn more about editing the aws-auth ConfigMap.

Follow these steps to authenticate the cluster:

Log into the EKS cluster with a user account that has the cluster admin permission.
Edit the aws-auth ConfigMap to include the following mapRoles entry. Be sure to replace the placeholder.
```
- rolearn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/apono-k8s-access
  username: "{{SessionNameRaw}}"
```
Placeholder
Description
<AWS_ACCOUNT_ID>
AWS account ID where the EKS is hosted

Follow these steps to authenticate the cluster:

Change the authentication mode to EKS API.
Create the access entry:
- For the IAM principal, enter arn:aws:iam::<AWS_ACCOUNT_ID>:role/apono-k8s-access.
- For the Username use apono:{{SessionName}}.
- Choose Cluster as the access scope.

Now, you can integrate with EKS.

Integrate with Elastic Kubernetes Service (EKS)

You can also use the steps below to integrate with Apono using Terraform.

In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to complete the integration:

On the Catalog tab, click Elastic Kubernetes Service (EKS). The Connect Integration page appears.
Under Discovery, click one or more resource types to sync with Apono.

Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage access flows to these resources.

Click Next. The Apono connector section appears.
From the dropdown menu, select a connector.

If the desired connector is not listed, click + Add new connector and follow the instructions for creating an Apono Connector for Kubernetes on an EKS cluster.

Click Next. The Integration Config section expands.
Define the Integration Config settings.

When the Apono connector is installed on the EKS cluster, you do not need to enter values for the other optional fields.

Setting

Description

Integration Name

Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow

Server URL

(Optional) URL of the Kubernetes API server used to interact with the Kubernetes cluster

Certification Authority

(Optional) Certificate that ensures that the Kubernetes API server is trusted and authentic Leave this field empty if you want to connect the cluster where the connector is deployed.

EKS Cluster Name

Unique name of the cluster to integrate

AWS Role Name

(Optional) Role defined for the connector

Region

(Optional) Location where the AWS Elastic Kubernetes cluster is deployed

Click Next. The Secret Store section expands.

When the Apono connector is installed on the EKS cluster, you do not need to provide a secret.

(Optional) Associate the secret or credentials.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.\
Setting
Description
Credential Rotation
User cleanup after access is revoked (in days)
(Optional) Defines the number of days after access has been revoked that the user should be deleted
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Click Confirm.

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.
Click to copy the code.
Make any additional edits.
Deploy the code in your Terraform.

Refer to Integration Config Metadata for more details about the schema definition.

Now that you have completed this integration, you can create access flows that grant permission to your Elastic Kubernetes Service cluster.

Log in to EKS with Apono access details

After a user gains access to an EKS resource, the user must authenticate with the cluster. The user must assume the apono-k8s-access role.

The following table shows two approaches to assume this role.

Approach

Details

AWS CLI

In the AWS CLI, run the aws sts assume-role command. Be sure to replace the placeholders.

aws sts assume-role \
  --role-arn arn:aws:iam::<ACCOUNT_ID>:role/apono-k8s-access \
  --role-session-name <EMAIL> \
  --duration-seconds 3600

Config File

Edit ~/.aws/config to contain the following profile. Be sure to replace the placeholders.

[profile apono-k8s-access]
role_arn = arn:aws:iam::<ACCOUNT_ID>:role/apono-k8s-access
role_session_name = <EMAIL>
source_profile = default

Placeholder

Description

<AWS_ACCOUNT_ID>

AWS account ID where the EKS is hosted

<EMAIL>

User email listed in the IdP

PreviousAWS RDS MySQL NextAWS Lambda Custom Integration

Last updated 1 day ago

Was this helpful?