# Integrate with EKS With Elastic Kubernetes Service (EKS) on AWS, EKS simplifies the management complexities of Kubernetes. Through this integration, Apono helps you securely manage access to your AWS Elastic Kubernetes cluster. *** ### Prerequisites


Item	Description
Apono Connector	Connection installed on the EKS cluster that serves as a bridge between the cluster and Apono
Apono Premium	Apono plan providing all available features and dedicated account support
Cluster Admin Access	Admin access to the cluster to integrate The cluster admin access can be the built-in cluster-admin role or equivalent permission level. Apono does not require admin permissions to the Kubernetes environment.
EKS Cluster Name	Unique name of the cluster to integrate
AWS SSO \| SAML Federation	Authentication for requester Security Assertion Markup Language (SAML) federation for authentication can be provided by providers such as Okta, Onelogin, Jumpcloud, and Ping Identity.

*** ### Configure user authentication Authentication can be completed with an Identity and Access Management IAM user or an IAM role. To grant a user access to an EKS cluster, the IAM user or IAM role must be mapped with a specific user identifier, such as an email address.Apono supports this mapping with an IAM role through AWS SSO or SAML federation from any identity provider (IdP). #### Create a new policy Follow these steps to create a new policy: 1. Under **Access management** on the [**Identity and Access Management (IAM)**](http://console.aws.amazon.com/iam/home) page in AWS, click **Policies > Create policy**. The **Specify permission** page appears. 2. Click **JSON**. 3. Replace the default policy with the following policy. Be sure to replace the placeholder. ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "eks:DescribeCluster", "Resource": "arn:aws:eks:*::cluster/*" } ] } ```

Placeholder	Description
<AWS_ACCOUNT_ID>	AWS account ID where the EKS is hosted

4. Click **Next**. The **Review and create** page appears. 5. Enter a **Policy name**. This name is used to identify this policy. 6. Click **Create policy**. #### Create the IAM role Follow these steps to create the IAM role: 1. Under **Access management** on the [**Identity and Access Management (IAM)**](http://console.aws.amazon.com/iam/home) page in AWS, click **Roles > Create role**. The **Select trusted entity** page appears. 2. Under **Trusted entity type**, select **Custom trust policy**. 3. Under **Custom trust policy**, replace the default policy with one of the following trust policies. Be sure to replace the placeholders. {% tabs %} {% tab title="AWS SSO" %} {% code overflow="wrap" %} ```json { "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "sts:AssumeRole", "Condition": { "StringEqualsIgnoreCase": { "sts:RoleSessionName": "${SAML:sub}" }, "ArnLike": { "aws:PrincipalArn": [ "arn:aws:iam:::role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*", "arn:aws:iam:::role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_*" ] } } } ] } ``` {% endcode %} {% endtab %} {% tab title="SAML" %} {% code overflow="wrap" %} ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam:::saml-provider/" }, "Action": "sts:AssumeRoleWithSAML", "Condition": { "StringEquals": { "SAML:aud": "https://signin.aws.amazon.com/saml" } } } ] } ``` {% endcode %} {% endtab %} {% endtabs %}

Placeholder	Description
<AWS_ACCOUNT_ID>	AWS account ID where the EKS is hosted
<SAML_PROVIDER>	Identity provider name

4. Click **Next**. The **Add permissions** page appears. 5. Under **Permissions policies**, select the newly created policy. 6. Click **Next**. The **Name, review, and create** page appears. 7. For the **Role name**, enter *apono-k8s-access*. 8. For the **Description**, enter *required for k8s access managed by Apono*. 9. Click **Create role.** {% hint style="info" %} If an **Overly permission trust policy** popup window appears, click **Continue**. {% endhint %} #### Authenticate the EKS cluster Now that the IAM role has been created, you must authenticate the EKS cluster with the **ConfigMap** or **EKS API**. {% tabs %} {% tab title="ConfigMap" %} {% hint style="success" %} Read [Apply the `aws-auth ConfigMap` to your cluster](https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html#aws-auth-configmap) to learn more about editing the `aws-auth ConfigMap`. {% endhint %} Follow these steps to authenticate the cluster: 1. Log into the EKS cluster with a user account that has the cluster admin permission. 2. Edit the `aws-auth ConfigMap` to include the following `mapRoles` entry. Be sure to replace the placeholder. ```yaml - rolearn: arn:aws:iam:::role/apono-k8s-access username: "{{SessionNameRaw}}" ```

Placeholder	Description
<AWS_ACCOUNT_ID>	AWS account ID where the EKS is hosted

{% endtab %} {% tab title="EKS API" %} Follow these steps to authenticate the cluster: 1. [Change the authentication mode](https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html#setting-up-access-entries) to **EKS API**. 2. [Create the access entry](https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html#creating-access-entries): * For the **IAM principal**, enter *arn:aws:iam::\:role/apono-k8s-access*. * For the **Username** use `apono:{{SessionName}}`. * Choose **Cluster** as the access scope. {% endtab %} {% endtabs %} Now, you can [integrate with EKS](#integrate-with-elastic-kubernetes-service-eks). *** ### Integrate with Elastic Kubernetes Service (EKS)

{% hint style="success" %} You can also use the steps below to integrate with Apono using Terraform. In step **11**, instead of clicking **Confirm**, follow the **Are you integrating with Apono using Terraform?** guidance. {% endhint %} Follow these steps to complete the integration: 1. On the [**Catalog**](https://app.apono.io/catalog?search=EKS) tab, click **Elastic Kubernetes Service (EKS)**. The **Connect Integration** page appears. 2. Under **Discovery**, click one or more resource types to sync with Apono. {% hint style="info" %} Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage access flows to these resources. {% endhint %} 3. Click **Next**. The **Apono connector** section appears. 4. From the dropdown menu, select a connector. {% hint style="info" %} If the desired connector is not listed, click **+ Add new connector** and follow the instructions for creating an [Apono Connector for Kubernetes](https://docs.apono.io/docs/kubernetes-environment/apono-connector-for-kubernetes) on an EKS cluster. {% endhint %} 5. Click **Next**. The **Integration Config** section expands. 6. Define the **Integration Config** settings. {% hint style="info" %} When the Apono connector is installed on the EKS cluster, you do not need to enter values for the other optional fields. {% endhint %}

Setting	Description
Integration Name	Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Server URL	(Optional) URL of the Kubernetes API server used to interact with the Kubernetes cluster
Certification Authority	(Optional) Certificate that ensures that the Kubernetes API server is trusted and authentic Leave this field empty if you want to connect the cluster where the connector is deployed.
EKS Cluster Name	Unique name of the cluster to integrate
AWS Role Name	(Optional) Role defined for the connector
Region	(Optional) Location where the AWS Elastic Kubernetes cluster is deployed

7. Click **Next**. The **Secret Store** section expands. {% hint style="info" %} When the Apono connector is installed on the EKS cluster, you do not need to provide a secret. {% endhint %} 8. (Optional) [Associate the secret or credentials](https://docs.apono.io/docs/connectors-and-secrets/apono-integration-secret). 9. Click **Next**. The **Get more with Apono** section expands. 10. Define the **Get more with Apono** settings.

Setting	Description
Credential Rotation	(Optional) Number of days after which the database credentials must be rotated Learn more about the Credentials Rotation Policy.
User cleanup after access is revoked (in days)	(Optional) Defines the number of days after access has been revoked that the user should be deleted Learn more about Periodic User Cleanup & Deletion.
Custom Access Details	(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner	(Optional) Fallback approver if no resource owner is found Follow these steps to define one or several integration owners: From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform. From the Value dropdown menu, select one or multiple users or groups. NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner	(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several resource owners: Enter a Key name. This value is the name of the tag created in your cloud environment. From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono. NOTE: When this setting is defined, an Integration Owner must also be defined.

11. Click **Confirm**.

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking **Confirm**: 1. At the top of the screen, click **View as Code**. A modal appears with the completed Terraform configuration code. 2. Click to copy the code. 3. Make any additional edits. 4. Deploy the code in your Terraform. Refer to [Integration Config Metadata](https://docs.apono.io/metadata-for-integration-config/integration-metadata/aws-eks) for more details about the schema definition.

Now that you have completed this integration, you can [create access flows](https://docs.apono.io/docs/access-flows/access-flows) that grant permission to your Elastic Kubernetes Service cluster. *** ### Log in to EKS with Apono access details After a user gains access to an EKS resource, the user must authenticate with the cluster. The user must assume the [`apono-k8s-access` role](#create-the-iam-role). The following table shows two approaches to assume this role.

Approach Details

Approach	Details
AWS CLI	In the AWS CLI, run the `aws sts assume-role` command. Be sure to replace the placeholders. `aws sts assume-role \ --role-arn arn:aws:iam::<ACCOUNT_ID>:role/apono-k8s-access \ --role-session-name <EMAIL> \ --duration-seconds 3600`
Config File	Edit ~/.aws/config to contain the following profile. Be sure to replace the placeholders. `[profile apono-k8s-access] role_arn = arn:aws:iam::<ACCOUNT_ID>:role/apono-k8s-access role_session_name = <EMAIL> source_profile = default`

AWS CLI

In the AWS CLI, run the aws sts assume-role command. Be sure to replace the placeholders.

aws sts assume-role \
  --role-arn arn:aws:iam::<ACCOUNT_ID>:role/apono-k8s-access \
  --role-session-name <EMAIL> \
  --duration-seconds 3600

Config File

Edit ~/.aws/config to contain the following profile. Be sure to replace the placeholders.

[profile apono-k8s-access]
role_arn = arn:aws:iam::<ACCOUNT_ID>:role/apono-k8s-access
role_session_name = <EMAIL>
source_profile = default

Placeholder	Description
<AWS_ACCOUNT_ID>	AWS account ID where the EKS is hosted
<EMAIL>	User email listed in the IdP