1 Answer
- Newest
- Most votes
- Most comments
0
Hello,
Let's assume your EKS cluster is in Account A, and your Lambda function is in Account B.
Networking:
In order to access your EKS cluster from Account B, your EKS cluster will either need to be enabled with public access endpoint, or you will have to use VPC peering or transit gateway and connect the EKS cluster VPC in Account A with the VPC associated with your Lambda in Account B.
IAM:
- Create an IAM role in your Account A and add it to the aws-auth configmap of your EKS cluster to allow the required permissions to this IAM role. Also, make sure that the IAM role has the
eks:DescribeCluster
permissions. - Allow the Lambda execution role of your Account B to perform
sts:AssumeRole
action in the above created IAM role's trust-relationship. This will allow your Lambda function in Account B to assume the IAM role in Account A.
Lambda code:
- Perform
sts:AssumeRole
operation on the IAM role in Account A to assume that role and get its credentials. - Perform
eks:DescribeCluster
operation to get the cluster details. - Create the kubeconfig file using the DescribeCluster output. Please refer this document to understand how to manually create the kubeconfig using the cluster details from the DescribeCluster output. I found this stackoverflow post that has the python code to create the kubeconfig file.
Now that the kubeconfig file is setup, you can perform API operations on your EKS cluster.
Hope this helps!
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago
Hello Venkat, Thanks for your suggestion will try this and feedback