Accessing Amazon EKS from a Jumphost using Access Entries

🔐 How to Access Amazon EKS from a Jumphost (Modern Access Entries Method)

Amazon EKS Access Entries let you assign Kubernetes API permissions to IAM identities without modifying the legacy aws-auth ConfigMap. This guide shows how to set up a jumphost for kubectl access using read-only or admin-view permissions — the modern, secure, and auditable way.

🚀 Overview: What Needs to Be Done

📦 Step 1: Install AWS CLI and kubectl

✅ AWS CLI

• Pre-installed on Amazon Linux 2 and Amazon Linux 2023
• AWS CLI v2 is required for aws eks update-kubeconfig
• For others: Install AWS CLI

aws --version

✅ kubectl

• Must match your EKS version
• Install kubectl

kubectl version --client

🔐 Step 2: IAM Policy for Jumphost Role

The jumphost typically assumes an IAM role automatically if it's an EC2 instance using an instance profile. For non-EC2 environments, the IAM role can be assumed via aws sts assume-role or temporary credentials.

The following permissions allow the role to fetch cluster metadata and authenticate:

data "aws_iam_role" "jumphost" {
  name = var.jumphost_role_name
}

data "aws_region" "current" {}

data "aws_caller_identity" "current" {}

resource "aws_iam_policy" "eks_describe_cluster" {
  name = "EKSDescribeCluster"
  policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Sid    = "DescribeClusterAccess",
        Effect = "Allow",
        Action = ["eks:DescribeCluster"],
        Resource = "arn:aws:eks:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:cluster/${var.cluster_name}"
      },
      {
        Sid    = "ListAssociatedAccessPolicies",
        Effect = "Allow",
        Action = ["eks:ListAssociatedAccessPolicies"],
        Resource = "*"
      }
    ]
  })
}

resource "aws_iam_role_policy_attachment" "jumphost_describe_cluster" {
  role       = data.aws_iam_role.jumphost.name
  policy_arn = aws_iam_policy.eks_describe_cluster.arn
}

This is required to use aws eks update-kubeconfig and mandatory when using access policies like AmazonEKSAdminViewPolicy.

🔧 Step 3: Grant EKS Access via Terraform

EKS Access Entries work without the legacy aws-auth ConfigMap. You no longer need to manage Kubernetes RBAC manually — AWS manages it through access policies.

Use EKS Access Entries and associate them with AWS-managed access policies:

resource "aws_eks_access_entry" "jumphost" {
  cluster_name  = var.eks_cluster_name
  principal_arn = "arn:aws:iam::${var.account_id}:role/${var.jumphost_role_name}"
}

resource "aws_eks_access_policy_association" "view" {
  cluster_name  = var.eks_cluster_name
  principal_arn = aws_eks_access_entry.jumphost.principal_arn
  policy_arn    = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"
}

resource "aws_eks_access_policy_association" "admin_view" {
  cluster_name  = var.eks_cluster_name
  principal_arn = aws_eks_access_entry.jumphost.principal_arn
  policy_arn    = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminViewPolicy"
}

You need both the EKS access policy and the IAM permissions to make this work.

🧪 Step 4: Verify Access from the Jumphost

🔍 1. Check access association

aws eks list-associated-access-policies \
  --cluster-name <cluster-name> \
  --principal-arn arn:aws:iam::<account-id>:role/<jumphost-role>

You should see AmazonEKSViewPolicy or AmazonEKSAdminViewPolicy.

🔧 2. Update kubeconfig

aws eks update-kubeconfig --region <region> --name <cluster-name>

✅ 3. Test read-only kubectl access

kubectl get nodes
kubectl get pods -A
kubectl get svc -A
kubectl get events -A
kubectl get deployments -A

✅ Summary

• 🛠 Tools: AWS CLI + kubectl installed
• 🔐 IAM Permissions: eks:DescribeCluster, eks:ListAssociatedAccessPolicies
• 📜 EKS Access Entries: Associated with AmazonEKSViewPolicy or AmazonEKSAdminViewPolicy
• ⚙️ Tested: Via aws eks update-kubeconfig + kubectl get commands

This approach is clean, auditable, and fully compatible with Terraform. Ditch the manual aws-auth edits — use EKS Access Entries instead. ✅