Using AWS EKS

PreviousSetting up a K8s Integration NextUsing Azure AKS

Last updated 6 days ago

Was this helpful?

Using AWS EKS

CloudQuery Platform currently supports integration with Amazon Elastic Kubernetes Service (EKS). This guide explains the required AWS account setup and configuration steps needed to enable CloudQuery to access your EKS clusters and run sync.

Prerequisites

In order for the CloudQuery Kubernetes source plugin to be able to sync resources from a given cluster, the API Server Endpoint of that cluster needs to be publicly available.

Before starting, configure this environment variable:

export TARGET_ACCOUNT_ID="<AWS target account>"

First, follow the to create the necessary roles and policies. This will establish the basic cross-account access needed for CloudQuery to interact with your AWS resources.

Configure EKS Cluster Access

In the Target AWS Account (Account to Sync)

Create an IAM access entry for your EKS cluster:

aws eks create-access-entry \
    --cluster-name my-cluster \
    --principal-arn arn:aws:iam::${TARGET_ACCOUNT_ID}:role/cross-account-readonly-role \
    --type STANDARD

Choose one of the following policies based on the level of access required:

Full Cluster View (recommended): Allows CloudQuery to sync all cluster resources.

aws eks associate-access-policy \
    --cluster-name my-cluster \
    --principal-arn arn:aws:iam::${TARGET_ACCOUNT_ID}:role/cross-account-readonly-role \
    --access-scope type=cluster \
    --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminViewPolicy

Restricted View

Note: If you choose this policy, most core cluster resources such as Nodes, RBAC Roles, and Secrets will not be synced.

If you don’t need access to these resources, you can use a more restrictive view policy instead:

aws eks associate-access-policy \
    --cluster-name my-cluster \
    --principal-arn arn:aws:iam::${TARGET_ACCOUNT_ID}:role/cross-account-readonly-role \
    --access-scope type=cluster \
    --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy

Creating K8s Integration

Navigate to Data Pipelines → Integrations in CloudQuery Platform
Click Create Integration and select K8s

Update the YAML configuration with your cluster details:

kind: source
spec:
  name: k8s
  path: cloudquery/k8s
  version: v7.6.0 # latest version of source k8s plugin
  tables:
    - "*"
  spec:
    providers:
      - cluster: my-cluster
        aws:
          region: <cluster-region>
          role_arn: <target-role-arn>
          external_id: <target-role-external-id>

Note: Make sure to replace the placeholder values in the YAML document!

<cluster-region> is the region where your EKS cluster is hosted, such as us-east-1.
<target-role-arn> is the principal ARN used to assign policies during theConfigure EKS Cluster Accessstep.

PreviousSetting up a K8s Integration NextUsing Azure AKS

Last updated 6 days ago

Was this helpful?

Prerequisites

In order for the CloudQuery Kubernetes source plugin to be able to sync resources from a given cluster, the API Server Endpoint of that cluster needs to be publicly available.

Before starting, configure this environment variable:

export TARGET_ACCOUNT_ID="<AWS target account>"

First, follow the to create the necessary roles and policies. This will establish the basic cross-account access needed for CloudQuery to interact with your AWS resources.

Configure EKS Cluster Access

In the Target AWS Account (Account to Sync)

Create an IAM access entry for your EKS cluster:

aws eks create-access-entry \
    --cluster-name my-cluster \
    --principal-arn arn:aws:iam::${TARGET_ACCOUNT_ID}:role/cross-account-readonly-role \
    --type STANDARD

Choose one of the following policies based on the level of access required:

Full Cluster View (recommended): Allows CloudQuery to sync all cluster resources.

aws eks associate-access-policy \
    --cluster-name my-cluster \
    --principal-arn arn:aws:iam::${TARGET_ACCOUNT_ID}:role/cross-account-readonly-role \
    --access-scope type=cluster \
    --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminViewPolicy

Restricted View

Note: If you choose this policy, most core cluster resources such as Nodes, RBAC Roles, and Secrets will not be synced.

If you don’t need access to these resources, you can use a more restrictive view policy instead:

aws eks associate-access-policy \
    --cluster-name my-cluster \
    --principal-arn arn:aws:iam::${TARGET_ACCOUNT_ID}:role/cross-account-readonly-role \
    --access-scope type=cluster \
    --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy

Creating K8s Integration

Navigate to Data Pipelines → Integrations in CloudQuery Platform
Click Create Integration and select K8s

Update the YAML configuration with your cluster details:

kind: source
spec:
  name: k8s
  path: cloudquery/k8s
  version: v7.6.0 # latest version of source k8s plugin
  tables:
    - "*"
  spec:
    providers:
      - cluster: my-cluster
        aws:
          region: <cluster-region>
          role_arn: <target-role-arn>
          external_id: <target-role-external-id>

Note: Make sure to replace the placeholder values in the YAML document!

<cluster-region> is the region where your EKS cluster is hosted, such as us-east-1.
<target-role-arn> is the principal ARN used to assign policies during theConfigure EKS Cluster Accessstep.
<target-role-external-id> is the EXTERNAL_ID environment variable from .