Lambda to access other account EKS clusters

Hello,

Let's assume your EKS cluster is in Account A, and your Lambda function is in Account B.

Networking:

In order to access your EKS cluster from Account B, your EKS cluster will either need to be enabled with public access endpoint, or you will have to use VPC peering or transit gateway and connect the EKS cluster VPC in Account A with the VPC associated with your Lambda in Account B.

IAM:

• Create an IAM role in your Account A and add it to the aws-auth configmap of your EKS cluster to allow the required permissions to this IAM role. Also, make sure that the IAM role has the eks:DescribeCluster permissions.
• Allow the Lambda execution role of your Account B to perform sts:AssumeRole action in the above created IAM role's trust-relationship. This will allow your Lambda function in Account B to assume the IAM role in Account A.

Lambda code:

• Perform sts:AssumeRole operation on the IAM role in Account A to assume that role and get its credentials.
• Perform eks:DescribeCluster operation to get the cluster details.
• Create the kubeconfig file using the DescribeCluster output. Please refer this document to understand how to manually create the kubeconfig using the cluster details from the DescribeCluster output. I found this stackoverflow post that has the python code to create the kubeconfig file.

Now that the kubeconfig file is setup, you can perform API operations on your EKS cluster.

Hope this helps!