Connect to EKS with AWS SSO

Before enabling SSO for an EKS cluster, make sure you connected it to an apono-connector following this guide:
https://docs.apono.io/docs/k8s-integration

To allow frictionless K8s access for SSO users, follow these steps:

Create an IAM role in the AWS account of the EKS cluster and map it into the cluster via auth-config

  1. create the Role:
  • Role name: apono-k8s-access
  • Trusted entity type: Custom trust policy
  • Insert the following policy & replace accountId with the current AWS account id
  • Don't add any permissions
  • Set description: required for k8s access managed by Apono
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:RoleSessionName": "${SAML:sub}"
                },
                "ArnLike": {
          "aws:PrincipalArn": [
            "arn:aws:iam::<AWS_ACCOUNT_ID>:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*",
            "arn:aws:iam::<AWS_ACCOUNT_ID>:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_*"
          ]
        }
            }
        }
    ]
}
  • Add inline policy named describe clusters to allow describing EKS clusters
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "eks:DescribeCluster",
            "Resource": "arn:aws:eks:*:<AWS_ACCOUNT_ID>:cluster/*"
        }
    ]
}
  1. Map IAM Role to K8s identities using the aws-auth ConfigMap
    ** add the following entry to the mapRoles section, replace accountId with the AWS accountId where the EKS cluster is located
- rolearn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/apono-k8s-access
  username: apono-managed-user:{{SessionNameRaw}}
  1. Contact Apono support to enable K8s SSO authentication in your Apono account