EKS (Instance Profile)

Learn how to add and manage an Amazon EKS cluster configured with an EC2 instance profile.

For an overview of the available Kubernetes features and supported platforms, please see our Kubernetes guide.

Overview

This guide describes how to manage access to an Amazon Elastic Kubernetes Service (EKS) Instance Profile cluster via the StrongDM Admin UI. This cluster type supports AWS IAM role authentication for EKS resources and gateways running in EC2. EKS clusters are added and managed in both the Admin UI and the AWS Management Console.

If you would like to learn more about how to enable automatic resource discovery within your Kubernetes cluster, or use privilege levels to allow users to request various levels of access to the Kubernetes cluster, please read the Kubernetes Discovery and Privilege Levels section to learn more about those features prior to following this configuration guide.

Prerequisites

Before you begin, ensure that the EKS endpoint you are connecting is accessible from one of your StrongDM gateways or relays. See our Nodes guide for more information.

If you are using kubectl 1.30 or higher, it will default to using websockets, which the StrongDM client did not support prior to version 45.35.0. This can be remedied by taking one of the following actions:

Update your client to version 45.35.0 or greater.
Set the environment variable KUBECTL_REMOTE_COMMAND_WEBSOCKETS=false to restore the previous behavior in your kubectl.

Credentials-reading order

During authentication with your AWS resource, the system looks for credentials in the following places in this order:

Environment variables (if the Enable Environment Variables box is checked)
Shared credentials file
EC2 role or ECS profile

As soon as the relay or gateway finds credentials, it stops searching and uses them. Due to this behavior, we recommend that all similar AWS resources with these authentication options use the same method when added to StrongDM.

For example, if you are using environment variables for AWS Management Console and using EC2 role authentication for an EKS cluster, when users attempt to connect to the EKS cluster through the gateway or relay, the environment variables are found and used in an attempt to authenticate with the EKS cluster, which then fails. We recommend using the same type for all such resources to avoid this problem at the gateway or relay level. Alternatively, you can segment your network by creating subnets with their own relays and sets of resources, so that the relays can be configured to work correctly with just those resources.

Cluster setup

You can find information about your cluster in the AWS Management Console on your EKS cluster’s general configuration page.

Manage the IAM role

In the AWS Management Console, go to Identity and Access Management (IAM) > Roles.
Create a role to be used for accessing the cluster, or select an existing role to be used.
Attach or set the role to what you are using to run your relay (for example, an EC2 instance, ECS task, EKS pod, and so forth). See AWS documentation for information on how to attach roles to EC2 instances, set the role of an ECS task, and set the role of a pod in EKS.
Copy the Role ARN (the Amazon Resource Name specifying the role).

Grant the role the ability to interact with the cluster

While authenticated to the cluster using your existing connection method, run the following command to edit the aws-auth ConfigMap (YML file) within Kubernetes:

kubectl edit -n kube-system configmap/aws-auth

Copy the following snippet and paste it into the file under the data: heading, as shown:

data:
  mapRoles: |
    - rolearn: <ARN_OF_INSTANCE_ROLE>
      username: <USERNAME>
      groups:
        - <GROUP>

In that snippet, do the following:
1. Replace <ARN_OF_INSTANCE_ROLE> with the ARN of the instance role.
2. Under groups:, replace <GROUP> with the appropriate group for the permissions level you want this StrongDM connection to have (see Kubernetes Roles for more details).
Example:

data:
  mapRoles: |
    - rolearn: arn:aws:iam::123456789012:role/Example
      username: system:node:{{EC2PrivateDNSNameExample}}
      groups:
        - system:masters

The name under groups: in the mapRoles block must match the subject name in the desired ClusterRoleBinding, not the name of the ClusterRoleBinding itself. For example, if a default EKS cluster has a ClusterRoleBinding called cluster-admin, with a group named system:masters, then the name system:masters must be input in the mapRoles block under groups:.

In the following example of the default ClusterRoleBinding for cluster-admin on an unconfigured EKS cluster, you can see that the group name under Subjects is system:masters.

Name:         cluster-admin
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
Role:
  Kind:  ClusterRole
  Name:  cluster-admin
Subjects:
  Kind   Name            Namespace
  ----   ----            ---------
  Group  system:masters

Also note that in the YML file, the indentation is critically important. If the indentation is wrong, the Edit command does not trigger an error message, but the change fails. Note that mapRoles should be at the same indent level as mapUsers in that file.

Save the file and exit your text editor.

Resource Configuration in StrongDM

This section provides instructions for adding the resource in either the StrongDM Admin UI, CLI, Terraform provider, or SDKs.

Set up and Manage With the Admin UI

If using the Admin UI to add the resource to StrongDM, use the following steps.

Log in to the Admin UI and go to Infrastructure > Clusters.
Click the Add cluster button.
Select Elastic Kubernetes Service (instance profile) as the Cluster Type and set other resource properties to configure how the StrongDM relay connects.
Click Create to save the resource.

The Admin UI updates and shows your new cluster in a green or yellow state. Green indicates a successful connection. If it is yellow, click the pencil icon to the right of the server to reopen the Connection Details screen. Then click Diagnostics to determine where the connection is failing.

Set up and Manage With the CLI

This section provides general steps on how to configure and manage the resource using the StrongDM CLI. For more information and examples, please see the CLI Reference documentation.

In your terminal or Command Prompt, log in to StrongDM:
```
sdm login
```

Run sdm admin clusters add`` ``eks-instance-profile --help to view the help text for the command, which shows you how to use the command and what options (properties) are available. Note which properties are required and collect the values for them.

NAME:
   sdm admin clusters add amazon-eks-instance-profile - create Elastic Kubernetes Service (instance profile) cluster

USAGE:
   sdm admin clusters add amazon-eks-instance-profile [command options] <name>

OPTIONS:
   --allow-resource-role-bypass                 (For legacy orgs) allows users to fallback to the existing authentication mode (Leased Credential or Identity Set) when a resource role is not provided.
   --bind-interface value                       IP address on which to listen for connections to this resource on clients. Specify "default", "loopback", or "vnm" to automatically allocate an available address from the corresponding IP range configured in the organization. (default: "default")
   --certificate-authority value                (secret)
   --cluster-name value                         (required)
   --discovery-enabled                          Enable discovery for the cluster.
   --discovery-username value                   The user to impersonate in the cluster when running discovery. Required if the cluster is configured for identity aliases. (conditional)
   --egress-filter value                        apply filter to select egress nodes e.g. 'field:name tag:key=value ...'
   --endpoint value                             (required)
   --healthcheck-namespace default              This path will be used to check the health of your connection.  Defaults to default.
   --identity-alias-healthcheck-username value  (conditional)
   --identity-set-id value                      
   --identity-set-name value                    set the identity set by name
   --port-override value                        Port on which to listen for connections to this resource on clients. Specify "-1" to automatically allocate an available port. (default: -1)
   --proxy-cluster-id value                     proxy cluster id
   --region value                               (required)
   --role-arn value                             (secret)
   --role-external-id value                     (secret)
   --secret-store-id value                      secret store id
   --subdomain value, --bind-subdomain value    DNS subdomain through which this resource may be accessed on clients (e.g. "app-prod" allows the resource to be accessed as "app-prod.<your-org-name>.<sdm-proxy-domain>"). Only applicable to HTTP-based resources or resources using virtual networking mode.
   --tags value                                 tags e.g. 'key=value,...'
   --template, -t                               display a JSON template
   --timeout value                              set time limit for command

Then run sdm admin clusters add eks-instance-profile <RESOURCE_NAME> and set all required properties with their values. For example:

sdm admin clusters add amazon-eks-instance-profile "eks-cluster-ip-prod"
  --cluster-name "eks-prod-instance-profile"
  --region "us-east-1"
  --endpoint "https://ABCDE12345.gr7.us-east-1.eks.amazonaws.com"
  --certificate-authority "/etc/strongdm/certs/eks-ca.crt"
  --role-arn "arn:aws:iam::123456789012:role/StrongDM-EKS-Access"
  --role-external-id "ext-id-eks-ip-prod-2025"
  --identity-set-name "EKS Instance Profile Admins"
  --identity-alias-healthcheck-username "svc_eks_health"
  --discovery-enabled
  --discovery-username "sdm-discovery"
  --healthcheck-namespace "default"
  --bind-interface "default"
  --port-override -1
  --egress-filter 'field:name tag:env=prod tag:region=us-east'
  --proxy-cluster-id "plc_0123456789abcdef"
  --secret-store-id "ss_abcdef0123456789"
  --subdomain "eks-ip-prod01"
  --tags "env=prod,cloud=aws,platform=kubernetes,auth=instance-profile,team=platform"
  --timeout 30

Check that the resource has been added. The output of the following command should show the resource's name:
```
sdm admin clusters list
```

Set up and Manage With Terraform

This section provides an example of how to configure and manage the resource using the Terraform provider. For more information and examples, please see the Terraform provider documentation.

# Install StrongDM provider
terraform {
  required_providers {
    sdm = {
      source  = "strongdm/sdm"
      version = "5.1.0"
    }
  }
}

# Configure StrongDM provider
provider "sdm" {
  # Add API access key and secret key from the Admin UI
  api_access_key = "njjSn...5hM"
  api_secret_key = "ziG...="
}

# Create Amazon EKS (Instance Profile) cluster
resource "sdm_resource" "eks_instance_profile_prod" {
  amazon_eks_instance_profile {
    # Required
    name         = "eks-cluster-ip-prod"                                   # <name>
    cluster_name = "eks-prod-instance-profile"                              # --cluster-name
    region       = "us-east-1"                                              # --region
    endpoint     = "https://ABCDE12345.gr7.us-east-1.eks.amazonaws.com"    # --endpoint

    # TLS / CA
    certificate_authority = file("/etc/strongdm/certs/eks-ca.crt")         # --certificate-authority

    # Optional role assumption (with instance profile as base auth)
    role_arn         = "arn:aws:iam::123456789012:role/StrongDM-EKS-Access" # --role-arn (optional)
    role_external_id = "ext-id-eks-ip-prod-2025"                            # --role-external-id (optional)

    # Identity & discovery
    identity_set_name                   = "EKS Instance Profile Admins"     # --identity-set-name
    identity_alias_healthcheck_username = "svc_eks_health"                  # --identity-alias-healthcheck-username (conditional)
    discovery_enabled                   = true                               # --discovery-enabled
    discovery_username                  = "sdm-discovery"                   # --discovery-username
    healthcheck_namespace               = "default"                          # --healthcheck-namespace

    # Common networking options
    bind_interface = "default"                                              # --bind-interface ("default" | "loopback" | "vnm")
    port_override  = -1                                                     # --port-override (-1 = auto-allocate)
    egress_filter  = "field:name tag:env=prod tag:region=us-east"           # --egress-filter
    subdomain      = "eks-ip-prod01"                                        # --subdomain / --bind-subdomain (for VN access)

    # Optional integrations
    proxy_cluster_id = "plc_0123456789abcdef"                               # --proxy-cluster-id
    secret_store_id  = "ss_abcdef0123456789"                                # --secret-store-id (for CA or extras)

    # (Legacy orgs) allow fallback auth when no resource role is provided
    allow_resource_role_bypass = false                                      # --allow-resource-role-bypass

    # Tags
    tags = {                                                                 # --tags
      env      = "prod"
      cloud    = "aws"
      platform = "kubernetes"
      auth     = "instance-profile"
      team     = "platform"
    }
  }
}

Resource properties

The EKS (instance profile) cluster type has the following properties.

Property

Requirement

Description

Display Name

Required

Meaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >)

Cluster Type

Required

Elastic Kubernetes Service (instance profile)

Proxy Cluster

Required

Defaults to "None (use gateways)"; if using proxy clusters, select the appropriate cluster to proxy traffic to this resource

Endpoint

Required

API server endpoint of the EKS cluster in the format <ID>.<REGION>.eks.amazonaws.com, such as A95FBC180B680B58A6468EF360D16E96.yl4.us-west-2.eks.amazonaws.com; relay server should be able to connect to your EKS endpoint

Connectivity Mode

Required

Select either Virtual Networking Mode, which lets users connect to the resource with a software-defined, IP-based network; or Loopback Mode, which allows users to connect to the resource using the local loopback adapter in their operating system; this field is shown if Virtual Networking Mode enabled for your organization

IP Address

Optional

If Virtual Networking Mode is the selected connectivity mode, an IP address value in the configured Virtual Networking Mode subnet in the organization network settings; if Loopback Mode is the selected connectivity mode, an IP address value in the configured Loopback IP range in the organization network settings (by default, 127.0.0.1); if not specified, an available IP address in the configured IP address space for the selected connectivity mode will be automatically assigned; this field is shown if Virtual Networking Mode and/or multi-loopback mode is enabled for your organization

Port Override

Optional

If Virtual Networking Mode is the selected connectivity mode, a port value between 1 and 65535 that is not already in use by another resource with the same IP address; if Loopback Mode is the selected connectivity mode, a port value between 1024 to 64999 that is not already in use by another resource with the same IP address; when left empty with Virtual Networking Mode, the system assigns the default port to this resource; when left empty for Loopback Mode, an available port that is not already in use by another resource is assigned; preferred port also can be modified later from the Port Overrides settings

DNS

Optional

If Virtual Networking Mode is the selected connectivity mode, a unique hostname alias for this resource; when set, causes the desktop app to display this resource's human-readable DNS name (for example, k8s.my-organization-name) instead of the bind address that includes IP address and port (for example, 100.64.100.100:5432)

Secret Store

Optional

Credential store location; defaults to none (credentials are stored in StrongDM resource configuration); to learn more, see Secret Store options

Server CA

Optional

Pasted server certificate (plaintext or Base64-encoded), or imported PEM file; you can either generate the server certificate on the API server or get it in Base64 format from your existing Kubernetes configuration (kubeconfig) file

Cluster Name

Required

Name of the EKS cluster

Region

Required

Region of the EKS cluster, such as us-west-1

Healthcheck Namespace

Optional

If enabled for your organization, the namespace used for the resource healthcheck; defaults to default if empty; supplied credentials must have the rights to perform one of the following kubectl commands in the specified namespace: get pods, get deployments, or describe namespace

Enable Resource Discovery

Optional

Enables automatic discovery within this cluster

Authentication

Required

Authentication method to access the cluster; select either Leased Credential (default) or Identity Aliases (to use the Identity Aliases of StrongDM users to access the cluster)

Identity Set

Required

Displays if Authentication is set to Identity Aliases; select an Identity Set name from the list

Healthcheck Username

Required

If Authentication is set to Identity Aliases, the username that should be used to verify StrongDM's connection to it; username must already exist on the target cluster

Assume Role ARN

Optional

Role ARN, such as arn:aws:iam::000000000000:role/RoleName, that allows users accessing this resource to assume a role using AWS AssumeRole functionality

Assume Role External ID

Optional

External ID if leveraging an external ID to users assuming a role from another account; if used, it must be used in conjunction with Assume Role ARN; see the AWS documentation on using external IDs for more information

Resource Tags

Optional

Resource Tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev)

Display name

Some Kubernetes management interfaces, such as Visual Studio Code, do not function properly with cluster names containing spaces. If you run into problems, please choose a Display Name without spaces.

Client credentials

When your users connect to this cluster, they have exactly the rights permitted by this AWS key pair. See AWS documentation for more information.

Server CA

How to get the Server CA from your kubeconfig file:

Open the CLI and type cat ~/.kube/config to view the contents of the file.
In the file, under - cluster, copy the certificate-authority-data value. That is the server certificate in Base64 encoding.

  - cluster:
    certificate-authority-data: ... SERVER CERT BASE64 ...

Secret Store options

By default, server credentials are stored in StrongDM. However, these credentials can also be saved in a secrets management tool.

Non-StrongDM options appear in the Secret Store dropdown menu if they are created under Settings > Secrets Management. When you select another Secret Store type, its unique properties display. For more details, see Configure Secret Store Integrations.

Test the Connection

After creating the EKS (Instance Profile) cluster resource in the Admin UI, navigate to Infrastructure > Clusters and locate your newly added cluster. The health indicator should turn green once StrongDM successfully connects to the EKS control plane using the instance profile role.
On a test client using the StrongDM desktop app or CLI, connect to the cluster and run a basic command such as:
```
kubectl get nodes
```
Confirm that the output lists your EKS nodes and that the connection is routed through StrongDM.
If Discovery is enabled, in the Admin UI verify that namespaces, roles, and service accounts appear under the cluster’s Discovery tab. This confirms StrongDM successfully queried the Kubernetes API.
If the health status remains red or yellow:
- Verify the cluster’s endpoint, region, and instance profile permissions are correct and reachable from your relay or gateway.
- Check the certificate authority file and ensure the control plane endpoint uses valid TLS configuration.
- Confirm the healthcheck_namespace exists and the identity alias user (if specified) has access to perform Kubernetes health checks.
- Review the Diagnostics tab for authentication, IAM, or network errors.
Once connectivity is verified and Kubernetes operations succeed, the EKS (Instance Profile) cluster resource is ready for use. You can assign roles, apply policies, and monitor cluster access through StrongDM.

Help

If you encounter issues, please consult the StrongDM Help Center.

Be prepared to provide the following information to StrongDM Support, so that they can inspect logs and confirm node and resource health:

Resource name or ID
CLI error output or logs
Node name and region
Timestamps of failed attempts

Last updated 18 days ago

Was this helpful?

Overview

Prerequisites

Credentials-reading order

Cluster setup

Manage the IAM role

Grant the role the ability to interact with the cluster

Resource Configuration in StrongDM

Set up and Manage With the Admin UI

Set up and Manage With the CLI

Set up and Manage With Terraform

Set up and Manage With SDKs

Resource properties

Display name

Client credentials

Server CA

Secret Store options

Test the Connection

Help