Connect to EKS with AWS SSO
Before enabling SSO for an EKS cluster, make sure you connected it to an apono-connector following this guide:
https://docs.apono.io/docs/k8s-integration
To allow frictionless K8s access for SSO users, follow these steps:
Create an IAM role in the AWS account of the EKS cluster and map it into the cluster via auth-config
- create the Role:
- Role name:
apono-k8s-access
- Trusted entity type:
Custom trust policy
- Insert the following policy & replace accountId with the current AWS account id
- Don't add any permissions
- Set description:
required for k8s access managed by Apono
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:RoleSessionName": "${SAML:sub}"
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*",
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_*"
]
}
}
}
]
}
- Add inline policy named
describe clusters
to allow describing EKS clusters
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "eks:DescribeCluster",
"Resource": "arn:aws:eks:*:<AWS_ACCOUNT_ID>:cluster/*"
}
]
}
- Map IAM Role to K8s identities using the
aws-auth
ConfigMap
** add the following entry to themapRoles
section, replace accountId with the AWS accountId where the EKS cluster is located
- rolearn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/apono-k8s-access
username: apono-managed-user:{{SessionNameRaw}}
- Contact Apono support to enable K8s SSO authentication in your Apono account
Updated about 1 month ago