I’d like to configure the kubectl tool to use the variables defined in my current shell in order to connect to the cluster, rather than pointing to the profile defined in a ~/.aws/credentials file, for security reasons.
This works with the normal aws command already, as well as terraform which is what I’m using to provision my resources.
I’m sourcing the values into my shell before running commands via the 1Password CLI tool. Is it possible to have the kubectl command use the values already defined in my current shell environment (currently $AWS_ACCESS_KEY_ID and $AWS_SECRET_ACCESS_KEY) rather than using the configuration file?
If not, how do you typically avoid hardcoding AWS keys into local configuration files that let you connect to an EKS cluster on AWS?
2
Answers
Yes, you can configure kubectl to use environment variables for AWS credentials instead of relying on the AWS credentials file. This approach enhances security by avoiding the need to store sensitive information in static files. Kubernetes supports the use of exec credential plugins, and the AWS CLI can be used as such a plugin to fetch credentials dynamically.
The
kubectlcommand is not using the aws credentials, but the context configuration in $HOME/.kube/configYou may configure the k8s context using the aws eks command which is using the env variables. btw — I suggest always providing AWS_REGION too along the credentials
Then check the kubectl context, it should be configured