Set up an Amazon Elastic Kubernetes Service connector
Capabilities
| Resource | Sync | Provision |
|---|---|---|
| Accounts | ℹ️ | |
| Groups | ℹ️ | |
| Roles | ✅ | |
| IAM roles | ✅ | |
| Cluster roles | ✅ | |
| Namespaces | ✅ |
ℹ️ This connector pulls account and group information from the AWS connector. You’ll configure this relationship when setting up the connector.
Before you begin
This connector requires you to have a working AWS connector. If you haven’t already done so, set up the AWS connector before you proceed.
You’ll also need the AWS CLI installed and configured, and kubectl configured to connect to your EKS cluster.
Gather EKS credentials
Configuring the connector requires you to pass in credentials generated in EKS. The EKS connector requires different credentials based on your chosen hosting method:
| Credential | Cloud-hosted | Self-hosted | Notes |
|---|---|---|---|
| Region | ✅ | ✅ | |
| Cluster name | ✅ | ✅ | |
| Access key | ✅ | ||
| Access key secret | ✅ | ||
| Assume role ARN | ✅ | ✅ | The configuration process varies by hosting method. |
Gather the relevant set of credentials before you move on.
(Cloud and self-hosted) Look up your region and cluster name
Log into the AWS Management Console.
In the top right corner of the screen, make a note of your region.
Next, navigate to the Amazon EKS service page (you can search for “EKS” to get there quickly).
On the EKS dashboard, click Clusters.
A list of the clusters in the current region is shown. Make a note of the name of the cluster you want to integrate with ConductorOne.
If you want to integrate multiple clusters, you must set up an EKS connector for each one.
(Self-hosted) Look up an AWS IAM access key and secret
Navigate to IAM (Identity and Access Management) > Users and select the user you want to generate the key for.
Click Security credentials and find the Access keys section of the page.
Click Create access key, and choose use cases as relevant (these do not impact the scope of the key itself).
Click Next.
Click Create access key.
(Cloud-hosted) Generate an Assume Role ARN
This process has several steps, and we’ll walk through them together.
Get a ConductorOne-provided External ID
In ConductorOne, navigate to Admin > Connectors and click Add connector.
Search for Amazon EKS and click Add.
Choose how to set up the new AWS connector:
Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.
If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.
Click Next.
Find the Settings area of the page and click Edit.
Copy and save the External ID populated in the External ID field.
Create a custom IAM role
In a new browser tab, sign in to your AWS Account using your existing credentials or SSO.
Navigate to the IAM Dashboard and select Access Management > Roles > Create Role.
Select Custom Trust Policy and paste the following into the Trust Policy JSON editor, replacing
EXTERNAL_ID_FROM_C1_INTEGRATIONS_PAGEwith the External ID from ConductorOne.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::765656841499:role/ConductorOneService" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "EXTERNAL_ID_FROM_C1_INTEGRATIONS_PAGE" } } } ] }Click Next.
Skip Add permissions and click Next.
Give the role a name, such as ConductorOneIntegration.
Add any tags relevant to your organization and click Create Role.
Find the newly created role, and click on it to view the role details page.
Under Permissions Policies, click Add Permissions and select Create Inline Policy.
Switch to the JSON Editor tab and paste the following policy into the editor:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:AttachRolePolicy", "iam:GetRole", "iam:ListRoles", "iam:PassRole", "iam:GetPolicy", "iam:ListAttachedRolePolicies", "iam:ListRolePolicies", "iam:TagRole", "iam:GetOpenIDConnectProvider", "iam:ListOpenIDConnectProviders", "iam:TagOpenIDConnectProvider", "iam:GetContextKeysForPrincipalPolicy", "iam:SimulatePrincipalPolicy" ], "Effect": "Allow", "Resource": "*", "Sid": "ConductorOneReadAccess" }, { "Sid": "AccessToSSOProvisionedRoles", "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:GetRole", "iam:ListAttachedRolePolicies", "iam:ListRolePolicies" ], "Resource": "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*" }, { "Sid": "IAMListPermissions", "Effect": "Allow", "Action": [ "iam:ListRoles", "iam:ListPolicies", "iam:ListAccessKeys" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "eks:DescribeCluster", "eks:DescribeClusterVersions", "eks:DescribeNodegroup", "eks:AssociateIdentityProviderConfig", "eks:ListTagsForResource", "eks:ListClusters", "eks:ListNodegroups", "eks:AccessKubernetesApi", "eks:AssociateAccessPolicy", "eks:ListAssociatedAccessPolicies", "eks:AssociateIdentityProviderConfig", "eks:DescribeAccessEntry", "eks:ListAccessEntries", "eks:ListAccessPolicies", "eks:DescribeAddon", "eks:DescribeAddonVersions", "eks:DescribeAddonConfiguration" ], "Resource": "*" } ] }Click Review Policy.
Give the policy a name, such as ConductorOnePermissions and click Create Policy.
Copy the Role ARN for the role we created, it should look like:
arn:aws:iam::NNNNNNNNNN:role/ConductorOneIntegration.
(Self-hosted) Generate an Assume Role ARN
Sign in to your AWS Account using your existing credentials or SSO.
Navigate to the IAM Dashboard and select Access Management > Roles > Create Role.
Select Custom Trust Policy and paste the following into the Trust Policy JSON editor
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Principal": { "AWS": "<YOUR_USER_ARN>" }, "Action": "sts:AssumeRole" } ] }Click Next.
Skip Add permissions and click Next.
Give the role a name, such as ConductorOneIntegration.
Add any tags relevant to your organization and click Create Role.
Find the newly created role, and click on it to view the role details page.
Under Permissions Policies, click Add Permissions and select Create Inline Policy.
Switch to the JSON Editor tab and paste the following policy into the editor:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:AttachRolePolicy", "iam:GetRole", "iam:ListRoles", "iam:PassRole", "iam:GetPolicy", "iam:ListAttachedRolePolicies", "iam:ListRolePolicies", "iam:TagRole", "iam:GetOpenIDConnectProvider", "iam:ListOpenIDConnectProviders", "iam:TagOpenIDConnectProvider", "iam:GetContextKeysForPrincipalPolicy", "iam:SimulatePrincipalPolicy" ], "Effect": "Allow", "Resource": "*", "Sid": "ConductorOneReadAccess" }, { "Sid": "AccessToSSOProvisionedRoles", "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:GetRole", "iam:ListAttachedRolePolicies", "iam:ListRolePolicies" ], "Resource": "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*" }, { "Sid": "IAMListPermissions", "Effect": "Allow", "Action": [ "iam:ListRoles", "iam:ListPolicies", "iam:ListAccessKeys" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "eks:DescribeCluster", "eks:DescribeClusterVersions", "eks:DescribeNodegroup", "eks:AssociateIdentityProviderConfig", "eks:ListTagsForResource", "eks:ListClusters", "eks:ListNodegroups", "eks:AccessKubernetesApi", "eks:AssociateAccessPolicy", "eks:ListAssociatedAccessPolicies", "eks:AssociateIdentityProviderConfig", "eks:DescribeAccessEntry", "eks:ListAccessEntries", "eks:ListAccessPolicies", "eks:DescribeAddon", "eks:DescribeAddonVersions", "eks:DescribeAddonConfiguration" ], "Resource": "*" } ] }Click Review Policy.
Give the policy a name, such as ConductorOnePermissions and click Create Policy.
Copy the Role ARN for the role we created, it should look like:
arn:aws:iam::NNNNNNNNNN:role/ConductorOneIntegration.
Assign the role permissions within the cluster
Once you have created the role, you need to assign it permissions inside the cluster. You can do this by editing the aws-auth configmap and mapping the created role to the cluster-admin user or any cluster user/group with admin privileges. For more restricted, granular permissions, you can create a custom ClusterRole that has read-only permissions.
You can see the current state of your aws-auth configmap by running:
kubectl get configmap -n kube-system aws-auth -o yaml
Fetch the current state and save it to a file:
kubectl get configmap -n kube-system aws-auth -o yaml > aws-auth-full.yaml
Edit the file in an editor of your choice, adding the corresponding mappings in the mapRoles section:
apiVersion: v1
data:
mapRoles: |
- groups:
- test-group-1
rolearn: arn:aws:iam::1234567:role/ExampleEntry
username: example-role-username
# Add your new entry here
# - rolearn: YOUR_ROLE_ARN
# username: any unique name, can be YOUR_ROLE_ARN
# groups:
# - readers
mapUsers: |
- groups:
- test-group-1
userarn: arn:aws:iam::1234567:user/test-user
username: test-user-1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
WARNING: This action replaces the original aws-auth configmap. Be sure to check your changes before applying them:
kubectl apply -f aws-auth-full.yaml
Next, create a cluster role. This example has the permissions to read-only all resources from the cluster:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: read-only-access-cluster-role
rules:
- apiGroups: [""]
resources: ["pods", "services", "configmaps", "namespaces", "secrets", "endpoints", "persistentvolumeclaims", "serviceaccounts"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps", "batch", "extensions", "networking.k8s.io", "rbac.authorization.k8s.io"]
resources: ["deployments", "replicasets", "statefulsets", "jobs", "cronjobs", "ingresses", "rolebindings", "clusterrolebindings", "roles", "clusterroles"]
verbs: ["get", "list", "watch"]
Apply the new cluster role. This action adds the role to the cluster:
kubectl apply -f reader-role.yaml
Now lets create the cluster role binding. This binds a kubernetes group or user to a ClusterRole:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: reader-role-binding
subjects:
- kind: Group
name: readers # <- The name of the group you mapped the ARN role to in the configmap
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: read-only-access # <- Name of the cluster role you created
apiGroup: rbac.authorization.k8s.io
And apply the yaml to the cluster:
kubectl apply -f reader-role-binding.yaml
Be aware that cluster role binding may take some time to propagate in the cluster.
That’s it! Next, move on to the connector configuration instructions.
Configure the EKS connector
To complete this task, you’ll need:
- The Connector Administrator or Super Administrator role in ConductorOne
- Access to the set of EKS credentials generated by following the instructions above
Follow these instructions to use a built-in, no-code connector hosted by ConductorOne.
In ConductorOne, navigate to Admin > Connectors and click Add connector.
Search for AWS Elastic Kubernetes Service and click Add.
Choose how to set up the new EKS connector:
Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.
If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.
Click Next.
Find the Settings area of the page and click Edit.
Enter the EKS credentials into the relevant fields.
Finally, tell the connector where to find the identities that will be used for this app in ConductorOne.
In the Shared identity source area of the page, click Edit.
Select your AWS v2 connector.
Optional. Limit the identities pulled from the connector you selected to only those with a certain entitlement by setting the entitlement.
Click Save.
Click Save.
The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.
That’s it! Your EKS connector is now pulling access data into ConductorOne.
Follow these instructions to use the EKS connector, hosted and run in your own environment.
When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with ConductorOne, automatically syncing and uploading data at regular intervals. This data is immediately available in the ConductorOne UI for access reviews and access requests.
Step 1: Set up a new EKS connector
In ConductorOne, navigate to Connectors > Add connector.
Search for Baton and click Add.
Choose how to set up the new EKS connector:
Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.
If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.
Click Next.
In the Settings area of the page, click Edit.
Click Rotate to generate a new Client ID and Secret.
Carefully copy and save these credentials. We’ll use them in Step 2.
Finally, tell the connector where to find the identities that will be used for this app in ConductorOne.
In the Shared identity source area of the page, click Edit.
Select your AWS v2 connector.
Optional. Limit the identities pulled from the connector you selected to only those with a certain entitlement by setting the entitlement.
Click Save.
Step 2: Create Kubernetes configuration files
Create two Kubernetes manifest files for your EKS connector deployment:
Secrets configuration
# baton-eks-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: baton-eks-secrets
type: Opaque
stringData:
# ConductorOne credentials
BATON_CLIENT_ID: <ConductorOne client ID>
BATON_CLIENT_SECRET: <ConductorOne client secret>
# EKS credentials
BATON_EKS_ACCESS_KEY: <EKS access key>
BATON_EKS_SECRET_ACCESS_KEY: <EKS access key secret>
BATON_EKS_REGION: <Name of the AWS account region>
BATON_EKS_ASSUME_ROLE_ARN: <TARN of the IAM role to assume>
BATON_EKS_CLUSTER_NAME: <Name of the EKS cluster>
See the connector’s README or run --help to see all available configuration flags and environment variables.
Deployment configuration
# baton-eks.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: baton-eks
labels:
app: baton-eks
spec:
selector:
matchLabels:
app: baton-eks
template:
metadata:
labels:
app: baton-eks
baton: true
baton-app: eks
spec:
containers:
- name: baton-eks
image: ghcr.io/conductorone/baton-eks:latest
imagePullPolicy: IfNotPresent
envFrom:
- secretRef:
name: baton-eks-secrets
Step 3: Deploy the connector
Create a namespace in which to run ConductorOne connectors (if desired), then apply the secret config and deployment config files.
Check that the connector data uploaded correctly. In ConductorOne, click Applications. On the Managed apps tab, locate and click the name of the application you added the EKS connector to. EKS data should be found on the Entitlements and Accounts tabs.
That’s it! Your EKS connector is now pulling access data into ConductorOne.