Enabling cross-account access from an EC2 Instance to an Amazon EKS cluster

Ajit Inamdar
2 min readJul 2, 2021



Let’s assume that we have multiple AWS accounts — source and target accounts and we want to manage the Kubernetes resources from an EC2 Instance in the source account.


  • Source AWS account
  • Target AWS account
  • EC2 Instance
  • Kubectl utility installed on the EC2 instance
  • EKS Cluster


Cross account EKS access
  1. In your source account, create an IAM role named source-account-iam-role with an IAM policy that allows AssumeRole permissions to target the account’s IAM role.

2. Attach the IAM role created in step 1 to the EC2 Instance in the source account

3. Create an IAM role in the target account, target-account-iam-role, with a trust relationship to source account’s IAM role for the action sts:AssumeRole.


4. Configuring target account’s Amazon EKS cluster — Modify the aws-auth configmap and add the Role under mapRoles to allow Kubernetes cluster access from the EC2 Instance IAM role (source-account-iam-role)

command: kubectl edit configmaps aws-auth -n kube-system

mapRoles: |
. . .
— groups:
— system:masters
rolearn: arn:aws:iam::SOURCE_ACCOUNT:role/source-account-iam-role
username: source-account-iam-role

5. Check access to Kubernetes from the source account EC2 Instance
kubectl get nodes


In this blog, I walked you through the steps to enable cross-account access between your source account and the target account. This type of solution is implemented typically in environments where you need to manage the Kubernetes cluster from a shared environment.

If you have any questions, please feel free to connect with me on LinkedIn

If you find this article helpful please feel free to clap!



Ajit Inamdar