Back to SSO guides

AWS EKS SSO

Use AWS EKS SSO with K8Studio

This guide shows how K8Studio connects to EKS when authentication is backed by AWS IAM Identity Center. The kubeconfig runs the AWS CLI exec plugin, and EKS authorizes the resulting role through access entries.

Important behavior

K8Studio should not silently run AWS SSO login. It should run the kubeconfig exec command, detect missing or expired SSO tokens, then show a clear Login with AWS SSO action for the user to click.

Download setup script
1

Confirm IAM Identity Center is enabled

Open IAM Identity Center and confirm the start URL, Identity Center region, AWS account ID, and user or group that will connect to EKS.

aws sso-admin list-instances --region us-east-1 --profile cloudops
2

Create a permission set

Create a permission set such as K8StudioEKSExec. The AWS side needs enough access to describe the cluster and call STS; Kubernetes permissions come from EKS access entries.

aws sso-admin create-permission-set --name K8StudioEKSExec --instance-arn <instance-arn>
3

Assign the user or group to the AWS account

Assign the Identity Center user or group to the AWS account with the permission set. AWS creates an AWSReservedSSO IAM role behind the scenes.

aws sso-admin create-account-assignment --instance-arn <instance-arn> --target-id <account-id> --permission-set-arn <permission-set-arn>
4

Configure the local SSO profile

Create a local AWS CLI profile that points to the SSO start URL, region, account ID, and permission set role name.

aws configure sso --profile k8studio-sso
5

Login with AWS SSO

Run the login once. AWS opens a browser flow and stores a short-lived SSO token in the local AWS cache.

aws sso login --profile k8studio-sso
6

Add the SSO role to EKS

Find the AWSReservedSSO role ARN and create an EKS access entry for it. Attach the EKS access policy that matches what K8Studio should be allowed to do.

aws eks create-access-entry \
  --cluster-name k8studio-auth-eks \
  --principal-arn <sso-role-arn>
7

Generate the kubeconfig

Generate or edit the kubeconfig so the user uses exec authentication and AWS_PROFILE points to the SSO profile.

aws eks update-kubeconfig --name k8studio-auth-eks --region us-east-1 --profile k8studio-sso
8

Verify with kubectl

Before opening K8Studio, confirm that kubectl can connect using the same context and profile.

kubectl --context k8studio-sso@k8studio-auth-eks.us-east-1.eksctl.io get nodes
9

Add the kubeconfig to K8Studio

Open K8Studio, add the kubeconfig file, select the SSO-backed EKS context, and connect. K8Studio runs aws eks get-token through the kubeconfig exec plugin.

10

Test the logged-out state

Logout from AWS SSO and reconnect. K8Studio should detect the missing SSO token and show a user-clicked Login with AWS SSO action.

aws sso logout --profile k8studio-sso

AWS console screenshots

IAM Identity Center screenshots

AWS now calls AWS SSO IAM Identity Center. Capture these screens to show the exact console setup behind the K8Studio EKS SSO flow.

IAM Identity Center instance

IAM Identity Center screenshot placeholder

IAM Identity Center instance

Show the enabled IAM Identity Center instance, including the AWS access portal URL and the Identity Center region.

AWS Console > IAM Identity Center > Settings

User or group assignment

IAM Identity Center screenshot placeholder

User or group assignment

Show the user or group that will receive EKS access through the AWS account assignment.

AWS Console > IAM Identity Center > Users or Groups

K8StudioEKSExec permission set

IAM Identity Center screenshot placeholder

K8StudioEKSExec permission set

Show the permission set that allows the AWS CLI to describe the EKS cluster and call STS.

AWS Console > IAM Identity Center > Permission sets

AWS account assignment

IAM Identity Center screenshot placeholder

AWS account assignment

Show the account assignment that connects the user or group to the AWS account using the K8StudioEKSExec permission set.

AWS Console > IAM Identity Center > AWS accounts

Screenshots to add

AWS SSO browser login

Screenshot placeholder

K8Studio SSO login required state

Screenshot placeholder

EKS access entry in AWS console

Screenshot placeholder

Successful EKS cluster view in K8Studio

Screenshot placeholder