Enabling cross-account access from an EC2 Instance to an Amazon EKS cluster


Let’s assume that we have multiple AWS accounts — source and target accounts and we want to manage the Kubernetes resources from an EC2 Instance in the source account.


  • Source AWS account
  • Target AWS account
  • EC2 Instance
  • Kubectl utility installed on the EC2 instance
  • EKS Cluster


Cross account EKS access
  1. In your source account, create an IAM role named source-account-iam-role with an IAM policy that allows AssumeRole permissions to target the account’s IAM role.

2. Attach the IAM role created in step 1 to the EC2 Instance in the source account

3. Create an IAM role in the target account, target-account-iam-role, with a trust relationship to source account’s IAM role for the action sts:AssumeRole.


4. Configuring target account’s Amazon EKS cluster — Modify the aws-auth configmap and add the Role under mapRoles to allow Kubernetes cluster access from the EC2 Instance IAM role (source-account-iam-role)

command: kubectl edit configmaps aws-auth -n kube-system

mapRoles: |
. . .
— groups:
— system:masters
rolearn: arn:aws:iam::SOURCE_ACCOUNT:role/source-account-iam-role
username: source-account-iam-role

5. Check access to Kubernetes from the source account EC2 Instance
kubectl get nodes


In this blog, I walked you through the steps to enable cross-account access between your source account and the target account. This type of solution is implemented typically in environments where you need to manage the Kubernetes cluster from a shared environment.

If you have any questions, please feel free to connect with me on LinkedIn

If you find this article helpful please feel free to clap!



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store