Integrate with EKS
Overview
With a connector installed on your Kubernetes platform, the next step is setting permissions for Apono to manage access control.
Prerequisites
- An Apono Kubernetes connector installed on the EKS cluster you want to integrate
- Cluster Admin permission to the EKS cluster
- AWS SSO or some SAML federation for authentication (like Okta, Onelogin, Jumpcloud, Ping Identity, etc.) for requesters
Please note! If you installed the Apono connector on the cluster, there is no need to provide the secret in the Add Integration form in the UI.
The connector already handles the secret ;)
Integrate Apono with EKS
1. Integrate EKS with AWS SSO or SAML Federation
In AWS, user authentication can be done with an IAM user or IAM role, and not with the user email. To allow users to access an EKS cluster, Apono must map the IAM user or IAM role to a user identifier, like the user email.
Apono supports this mapping with an IAM role via AWS SSO or with SAML federation from any IdP of your choice.
Create the IAM role in AWS
Create an IAM role in the AWS account of the EKS cluster and map it into the cluster via auth-config
- In the AWS Admin Portal, Go to AWS IAM
- Click Roles
- Click Create Role
- Select trusted entity:
Custom trust policy
- Insert the Trust Policy as appears below then follow steps 6-17
- If you are using AWS SSO, follow this section
- If you are using a SAML Federation, follow this section
With AWS SSO
Set the following Assume Role Policy Document for the created role
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEqualsIgnoreCase": {
"sts:RoleSessionName": "${SAML:sub}"
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*",
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_*"
]
}
}
}
]
}
Where:
AWS_ACCOUNT_ID
is your the AWS account ID where the EKS is hosted
With SAML Federation
Set the following Assume Role Policy Document for the created role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:saml-provider/<SAML_PROVIDER>"
},
"Action": "sts:AssumeRoleWithSAML",
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml"
}
}
}
]
}
Where:
AWS_ACCOUNT_ID
is your the AWS account ID where the EKS is hosted
SAML_PROVIDER
is your IdP name
Continue to steps 6-17
- Click Next
- Under Add permissions, click Create Policy
- Click JSON
- Paste the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "eks:DescribeCluster",
"Resource": "arn:aws:eks:*:<AWS_ACCOUNT_ID>:cluster/*"
}
]
}
Where: AWS_ACCOUNT_ID
is your the AWS account ID where the EKS is hosted
- Click Next
- Give the Policy a name of your choosing
- Click Create policy
- Return to the Add permissions page
- From the table, choose the Apono policy you just created
- Click Next
- Complete the following params:
- Role name:
apono-k8s-access
- Optional: Set description:
required for k8s access managed by Apono
- Click Create role
2. Map the IAM Role to K8s identities
Map the IAM Role to K8s identities using the aws-auth
ConfigMap
Visit the AWS guide to learn more about editing the
aws-auth
ConfigMap here
- Log into your EKS with Cluster Admin permission
- Edit the
aws-auth
ConfigMap to include the following mapRoles entry
- rolearn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/apono-k8s-access
username: "{{SessionNameRaw}}"
Where:AWS_ACCOUNT_ID
is your the AWS account ID where the EKS is hosted
3. In Apono, create a new EKS integration
- In the Apono app, Select Elastic Kubernetes Service (EKS) from the Integrations Catalog.
- On the next page, select an existing connector from the drop-down list.
- Click Next to view the EKS integration form.
4. Complete the Integration Form
- Integration name: Give the integration a name.
- If you installed the Apono connector on the EKS cluster, ignore the optional params and the secret
- Cluster name: The unique name of the cluster you are integrating
Results
Integration of Apono with EKS is now complete.
Next Steps
- Manage users and groups. If you have and IdP set up, for example Okta or Azure AD, you may want to integrate Apono in order to sync users and groups.
- You can now control access to this resource by defining Access Flows.
- Make it easy for your users to request access by integrating your Slack or Teams organization with Apono.
Using the Apono access details to log into EKS
When users request and are granted JIT access to an EKS resource (like cluster, namespace, pod, deployment, secret, etc.), they need to authenticate with the cluster.
To authenticate, the user needs to assume the apono-k8s-access
role admins created in step 1 in one of the following ways:
- Use the
aws sts assume-role
command in the AWS CLI:
aws sts assume-role --role-arn arn:aws:iam::<ACCOUNT_ID>:role/apono-k8s-access --role-session-name <EMAIL> --duration-seconds 3600
Where:
ACCOUNT_ID
is your the AWS account ID where the EKS is hosted
EMAIL
is the user email as listed in the IdP
- Edit the
~/.aws/config
file to contain the following profile:
[profile apono-k8s-access]
role_arn = arn:aws:iam::<ACCOUNT_ID>:role/apono-k8s-access
role_session_name = <EMAIL>
source_profile = default
Where:
ACCOUNT_ID
is your the AWS account ID where the EKS is hosted
EMAIL
is the user email as listed in the IdP
Updated about 1 month ago