AWS EKS Okta Auth

Authenticating to AWS EKS (Elastic Kubernetes Service) using AWS IAM (Identity and Access Management) credentials is a crucial aspect of managing and securing these clusters. However, IAM is not the only option when it comes to authenticating with these clusters. You can also configure additional IDP (identity providers) for this purpose. In this post today, I’ll explain the steps necessary to authenticate with Okta.

Pre-requisities

Before diving into the specifics, please ensure you have the following -

1. An Okta app, with it’s corresponding client id/secret.
2. Terraform configs which create the cluster, and have admin level access to configure the cluster.

Configuring the EKS OIDC IDP Module

1. Use this module in your Terraform configuration, specifying the required input variables such as cluster name, cluster email, IDP client ID, issuer URL, group claims, username claims, and admin/readonly groups and users. A sample config will look like this -

   module eks_oidc_idp {
       source = "git::ssh://git@github.com/abiydv/aws-eks-okta-auth.git?ref=v1.0.0"
   
       cluster_name       = "my-cluster"
       cluster_email      = "user"
       idp_client_id      = "client-id"
       idp_config_name    = "okta"
       idp_issuer_url     = "https://example.okta.com"
       idp_group_claim    = "groups"
       idp_username_claim = "username"
       idp_cluster_admin_groups    = ["okta-admins"]
       idp_cluster_admin_users     = ["user1", "user2"]
       idp_cluster_readonly_groups = ["okta-devs"]
       idp_cluster_readonly_users  = ["user3", "user4"]
       tags = var.tags
   }

2. Apply the Terraform configuration to provision the OIDC provider for your EKS cluster. This might take upto 20 mins to complete.

Installing the Kubelogin Plugin:

To authenticate with Okta, we need to install the Kubelogin plugin. Follow these steps:

1. Install the Kubelogin plugin using the appropriate package manager for your system.
2. Verify the installation by running the kubectl oidc-login --help command.

Configuring the Kubectl User

In the ~/.kube/config file, add a new user configuration under the users section, specifying the necessary details such as name, exec command, OIDC issuer URL, client ID, client secret, and additional scopes.

- name: okta
    user:
    exec:
        apiVersion: client.authentication.k8s.io/v1beta1
        args:
        - oidc-login
        - get-token
        - --oidc-issuer-url=https://okta.com/oauth2/
        - --oidc-client-id=clientid
        - --oidc-client-secret=clientsecret
        - --oidc-extra-scope=profile
        command: kubectl
        env: null
        provideClusterInfo: false

Testing Access

To test the access to your EKS cluster using Okta authentication, execute any kubectl command. For example, run kubectl get svc to retrieve information about the cluster’s services. If the command executes successfully, it means you have authenticated successfully with Okta as the IDP.

Conclusion:

In this blog post, we have learned how to authenticate to an AWS EKS cluster using Okta as the IDP. By leveraging Okta’s secure authentication capabilities and the flexibility of AWS EKS, you can ensure robust access control and streamlined management of your Kubernetes clusters. Implementing Okta as the IDP enhances the security and ease of use for developers and administrators working with your EKS infrastructure.