AWS EKS

the aws eks connector allows for seamless integration and management of kubernetes clusters via amazon eks, directly from within the swimlane platform aws eks is a fully managed kubernetes service that simplifies the process of running kubernetes on aws the aws eks connector for swimlane turbine allows users to automate the management of eks clusters, including creation, configuration, and deletion, without the need for manual intervention by integrating with aws eks, swimlane turbine users can enhance their security automation, streamline resource management, and ensure a robust security posture within their kubernetes environments this connector empowers security teams to focus on strategic tasks by reducing the complexity of kubernetes operations limitations none to date supported versions this connector supports the aws eks api version used by boto3 additional docs for more information, refer to the https //docs aws amazon com/eks/latest/apireference/ configuration prerequisites to utilize the aws eks connector within swimlane turbine, ensure you have the following aws authentication credentials access key your aws iam user's access key id secret key your aws iam user's secret access key region name the aws region where your eks clusters are deployed authentication methods this connector supports the following authentication methods setup instructions obtaining aws credentials to use this integration, you will need to have an aws account and obtain the necessary aws credentials you can obtain these credentials by following the steps below log in to your aws account and navigate to the iam console in the left navigation pane, click on the "users" tab and select the user for which you want to create credentials click on the "security credentials" tab, and then click on "create access key" make sure to save the access key id and secret access key in a secure location, as you will not be able to see the secret access key again after this step if you want to use an aws iam role to access the secrets manager, you will need to have the arn of the role and an optional external id, if one was specified by the aws account administrator permissions open the iam management console navigate to the user or role that requires the permission click on the permissions tab and then click on the add permissions button at the right side top corner of the permissions block click on attach policies and search for secretsmanagerreadwrite permissions policies select the box of secretsmanagerreadwrite and then click on the add permissions button at the right side bottom corner troubleshooting tips verify that the provided credentials are correct and have the necessary permissions capabilities this connector provides the following capabilities create cluster delete cluster describe cluster list clusters create access entry register cluster update cluster config action 1 create cluster additional information creates an amazon eks control plane action 2 delete cluster additional information deletes an amazon eks cluster control plane action 3 describe cluster additional information describes an amazon eks cluster action 4 list clusters additional information lists the amazon eks clusters in your amazon web services account in the specified amazon web services region action 5 create access entry additional information creates an access entry action 6 register cluster additional information connects a kubernetes cluster to the amazon eks control plane action 7 update cluster config additional information updates an amazon eks cluster configuration your cluster continues to function during the update the response output includes an update id that you can use to track the status of your cluster update with describeupdate for more detailed information on each action, refer to the https //docs aws amazon com/eks/latest/apireference/ https //boto3 amazonaws com/v1/documentation/api/latest/reference/services/eks html configurations aws eks authentication authenticates using aws credentials configuration parameters parameter description type required access key aws access key string required secret key aws secret key string required region name the aws region where you want to create new connections string required role arn optional role arn to assume leave blank unless tasks need to assume a different role string optional external id external id to assume iam role optional value used for assuming roles can be added, or removed in trusted relationships of target role string optional session token use if a session token is provided when switching roles string optional role session name defaults to sessionfromswimlane \<hash> when no value is provide string optional actions create access entry creates an access entry in aws eks for a specified cluster and principal arn endpoint method post input argument name type required description clustername string required the name of your cluster principalarn string required the arn of the iam principal for the accessentry you can specify one arn for each access entry you cannot specify the same arn in more than one access entry this value cannot be changed after access entry creation kubernetesgroups array optional the value for name that you have specified for kind group as a subject in a kubernetes rolebinding or clusterrolebinding object amazon eks does not confirm that the value for name exists in any bindings on your cluster you can specify one or more names tags object optional metadata that assists with categorization and organization each tag consists of a key and an optional value you define both tags do not propagate to any other cluster or amazon web services resources tags string string optional one part of a key value pair that make up a tag a key is a general label that acts like a category for more specific tag values clientrequesttoken string optional a unique, case sensitive identifier that you provide to ensure the idempotency of the request this field is autopopulated if not provided username string optional the username to authenticate to kubernetes with we recommend not specifying a username and letting amazon eks specify it for you type string optional the type of the new access entry valid values are standard, fargate linux, ec2 linux, and ec2 windows input example {"clustername" "string","principalarn" "string","kubernetesgroups" \["string"],"tags" {"string" "string"},"clientrequesttoken" "string","username" "string","type" "string"} output parameter type description accessentry object output field accessentry accessentry clustername string name of the resource accessentry principalarn string output field accessentry principalarn accessentry kubernetesgroups array output field accessentry kubernetesgroups accessentry accessentryarn string output field accessentry accessentryarn accessentry createdat string output field accessentry createdat accessentry modifiedat string output field accessentry modifiedat accessentry tags object output field accessentry tags accessentry tags string string output field accessentry tags string accessentry username string name of the resource accessentry type string type of the resource output example {"accessentry" {"clustername" "string","principalarn" "string","kubernetesgroups" \["string"],"accessentryarn" "string","createdat" "2015 01 01t00 00 00","modifiedat" "2015 01 01t00 00 00","tags" {"string" "string"},"username" "string","type" "string"}} create cluster creates an amazon eks control plane with specified name, role arn, and vpc configuration endpoint method post input argument name type required description name string required the unique name to give to your cluster version string optional the desired kubernetes version for your cluster if not specified, the default version available in amazon eks is used rolearn string required the amazon resource name (arn) of the iam role that provides permissions for the kubernetes control plane to make calls to aws api operations on your behalf resourcesvpcconfig object required the vpc configuration that's used by the cluster control plane resourcesvpcconfig subnetids array optional a list of subnet ids resourcesvpcconfig securitygroupids array optional a list of security group ids resourcesvpcconfig endpointpublicaccess boolean optional indicates whether the endpoint is publicly accessible resourcesvpcconfig endpointprivateaccess boolean optional indicates whether the endpoint is privately accessible resourcesvpcconfig publicaccesscidrs array optional a list of cidr blocks for public access kubernetesnetworkconfig object optional the kubernetes network configuration for the cluster kubernetesnetworkconfig serviceipv4cidr string optional the cidr block for the kubernetes service ip addresses kubernetesnetworkconfig ipfamily string optional the ip family used for the cluster logging object optional enable or disable exporting the kubernetes control plane logs for your cluster to cloudwatch logs logging clusterlogging array optional the cluster logging configuration logging clusterlogging types array optional the types of logs to export logging clusterlogging enabled boolean optional indicates whether the logging is enabled clientrequesttoken string optional a unique, case sensitive identifier that you provide to ensure the idempotency of the request tags object optional metadata that assists with categorization and organization each tag consists of a key and an optional value tags string string optional the tag value encryptionconfig array optional the encryption configuration for the cluster encryptionconfig resources array optional the resources to be encrypted encryptionconfig provider object optional the encryption provider encryptionconfig provider keyarn string optional the arn of the key outpostconfig object optional an object representing the configuration of your local amazon eks cluster on an aws outpost outpostconfig outpostarns array optional a list of outpost arns input example {"name" "string","version" "string","rolearn" "string","resourcesvpcconfig" {"subnetids" \["string"],"securitygroupids" \["string"],"endpointpublicaccess"\ true,"endpointprivateaccess"\ true,"publicaccesscidrs" \["string"]},"kubernetesnetworkconfig" {"serviceipv4cidr" "string","ipfamily" "ipv4"},"logging" {"clusterlogging" \[{"types" \["api","audit","authenticator","controllermanager","scheduler"],"enabled"\ true}]},"clientrequesttoken" "string","tags" {"string" "string"},"encryptionconfig" \[{"resources" \["string"],"provider" {"keyarn" "string"}}],"outpostconfig" {"outpostarns" \["string"],"controlplaneinstancetype" "string","controlplaneplacement" {"groupname" "string"}},"accessconfig" {"bootstrapclustercreatoradminpermissions"\ true,"authenticationmode" "api"},"bootstrapselfmanagedaddons"\ true,"upgradepolicy" {"supporttype" "standard"}} output parameter type description cluster object output field cluster cluster name string name of the resource cluster arn string output field cluster arn cluster createdat string output field cluster createdat cluster version string output field cluster version cluster endpoint string output field cluster endpoint cluster rolearn string output field cluster rolearn cluster resourcesvpcconfig object output field cluster resourcesvpcconfig cluster resourcesvpcconfig subnetids array unique identifier cluster resourcesvpcconfig securitygroupids array unique identifier cluster resourcesvpcconfig clustersecuritygroupid string unique identifier cluster resourcesvpcconfig vpcid string unique identifier cluster resourcesvpcconfig endpointpublicaccess boolean output field cluster resourcesvpcconfig endpointpublicaccess cluster resourcesvpcconfig endpointprivateaccess boolean output field cluster resourcesvpcconfig endpointprivateaccess cluster resourcesvpcconfig publicaccesscidrs array unique identifier cluster kubernetesnetworkconfig object output field cluster kubernetesnetworkconfig cluster kubernetesnetworkconfig serviceipv4cidr string unique identifier cluster kubernetesnetworkconfig serviceipv6cidr string unique identifier cluster kubernetesnetworkconfig ipfamily string output field cluster kubernetesnetworkconfig ipfamily cluster logging object output field cluster logging cluster logging clusterlogging array output field cluster logging clusterlogging cluster logging clusterlogging types array type of the resource cluster logging clusterlogging enabled boolean output field cluster logging clusterlogging enabled cluster identity object unique identifier cluster identity oidc object unique identifier output example {"cluster" {"name" "string","arn" "string","createdat" "datetime(2015, 1, 1)","version" "string","endpoint" "string","rolearn" "string","resourcesvpcconfig" {"subnetids" \[],"securitygroupids" \[],"clustersecuritygroupid" "string","vpcid" "string","endpointpublicaccess"\ true,"endpointprivateaccess"\ false,"publicaccesscidrs" \[]},"kubernetesnetworkconfig" {"serviceipv4cidr" "string","serviceipv6cidr" "string","ipfamily" "ipv4"},"logging" {"clusterlogging" \[]},"identity" {"oidc" {}},"status" "creatin delete cluster removes an amazon eks cluster control plane by name, terminating all associated resources endpoint method delete input argument name type required description name string required the name of the cluster to delete input example {"name" "string"} output parameter type description cluster object output field cluster cluster name string name of the resource cluster arn string output field cluster arn cluster createdat string output field cluster createdat cluster version string output field cluster version cluster endpoint string output field cluster endpoint cluster rolearn string output field cluster rolearn cluster resourcesvpcconfig object output field cluster resourcesvpcconfig cluster resourcesvpcconfig subnetids array unique identifier cluster resourcesvpcconfig securitygroupids array unique identifier cluster resourcesvpcconfig clustersecuritygroupid string unique identifier cluster resourcesvpcconfig vpcid string unique identifier cluster resourcesvpcconfig endpointpublicaccess boolean output field cluster resourcesvpcconfig endpointpublicaccess cluster resourcesvpcconfig endpointprivateaccess boolean output field cluster resourcesvpcconfig endpointprivateaccess cluster resourcesvpcconfig publicaccesscidrs array unique identifier cluster kubernetesnetworkconfig object output field cluster kubernetesnetworkconfig cluster kubernetesnetworkconfig serviceipv4cidr string unique identifier cluster kubernetesnetworkconfig serviceipv6cidr string unique identifier cluster kubernetesnetworkconfig ipfamily string output field cluster kubernetesnetworkconfig ipfamily cluster logging object output field cluster logging cluster logging clusterlogging array output field cluster logging clusterlogging cluster logging clusterlogging types array type of the resource cluster logging clusterlogging enabled boolean output field cluster logging clusterlogging enabled cluster identity object unique identifier cluster identity oidc object unique identifier output example {"cluster" {"name" "string","arn" "string","createdat" "datetime(2015, 1, 1)","version" "string","endpoint" "string","rolearn" "string","resourcesvpcconfig" {"subnetids" \[],"securitygroupids" \[],"clustersecuritygroupid" "string","vpcid" "string","endpointpublicaccess"\ true,"endpointprivateaccess"\ true,"publicaccesscidrs" \[]},"kubernetesnetworkconfig" {"serviceipv4cidr" "string","serviceipv6cidr" "string","ipfamily" "ipv4"},"logging" {"clusterlogging" \[]},"identity" {"oidc" {}},"status" "creating describe cluster retrieve detailed information about an amazon eks cluster by specifying the cluster name endpoint method get input argument name type required description name string required the name of the amazon eks cluster to update input example {"name" "string"} output parameter type description cluster object output field cluster cluster name string name of the resource cluster arn string output field cluster arn cluster createdat string output field cluster createdat cluster version string output field cluster version cluster endpoint string output field cluster endpoint cluster rolearn string output field cluster rolearn cluster resourcesvpcconfig object output field cluster resourcesvpcconfig cluster resourcesvpcconfig subnetids array unique identifier cluster resourcesvpcconfig securitygroupids array unique identifier cluster resourcesvpcconfig clustersecuritygroupid string unique identifier cluster resourcesvpcconfig vpcid string unique identifier cluster resourcesvpcconfig endpointpublicaccess string output field cluster resourcesvpcconfig endpointpublicaccess cluster resourcesvpcconfig endpointprivateaccess string output field cluster resourcesvpcconfig endpointprivateaccess cluster resourcesvpcconfig publicaccesscidrs array unique identifier cluster kubernetesnetworkconfig object output field cluster kubernetesnetworkconfig cluster kubernetesnetworkconfig serviceipv4cidr string unique identifier cluster kubernetesnetworkconfig serviceipv6cidr string unique identifier cluster kubernetesnetworkconfig ipfamily string output field cluster kubernetesnetworkconfig ipfamily cluster logging object output field cluster logging cluster logging clusterlogging array output field cluster logging clusterlogging cluster logging clusterlogging types array type of the resource cluster logging clusterlogging enabled string output field cluster logging clusterlogging enabled cluster identity object unique identifier cluster identity oidc object unique identifier output example {"cluster" {"name" "string","arn" "string","createdat" "datetime(2015, 1, 1)","version" "string","endpoint" "string","rolearn" "string","resourcesvpcconfig" {"subnetids" \[],"securitygroupids" \[],"clustersecuritygroupid" "string","vpcid" "string","endpointpublicaccess" "true|false","endpointprivateaccess" "true|false","publicaccesscidrs" \[]},"kubernetesnetworkconfig" {"serviceipv4cidr" "string","serviceipv6cidr" "string","ipfamily" "ipv4|ipv6"},"logging" {"clusterlogging" \[]},"identity" {"oidc" { list clusters retrieves a list of amazon eks clusters available in the specified aws region within your account endpoint method get input argument name type required description maxresults number optional the maximum number of results, returned in paginated output you receive maxresults in a single page, along with a nexttoken response element you can see the remaining results of the initial request by sending another request with the returned nexttoken value this value can be between 1 and 100 if you don’t use this parameter, 100 results and a nexttoken value, if applicable, are returned nexttoken string optional the nexttoken value returned from a previous paginated request, where maxresults was used and the results exceeded the value of that parameter pagination continues from the end of the previous results that returned the nexttoken value this value is null when there are no more results to return note this token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes include array optional indicates whether external clusters are included in the returned list use ‘all’ to return connected clusters, or blank to return only amazon eks clusters ‘all’ must be in lowercase otherwise an error occurs input example {"maxresults" 123,"nexttoken" "string","include" \["string"]} output parameter type description clusters array output field clusters nexttoken string output field nexttoken output example {"clusters" \["string"],"nexttoken" "string"} register cluster connects a kubernetes cluster to the amazon eks control plane, requiring the cluster name and connector configuration endpoint method post input argument name type required description name string required a unique name for this cluster in your aws region connectorconfig object required the configuration settings required to connect the kubernetes cluster to the amazon eks control plane connectorconfig rolearn string required the amazon resource name (arn) of the role to assume when connecting to the cluster connectorconfig provider string required the provider of the kubernetes cluster clientrequesttoken string optional a unique, case sensitive identifier that you provide to ensure the idempotency of the request tags object optional metadata that assists with categorization and organization each tag consists of a key and an optional value tags string string optional parameter for register cluster input example {"name" "string","connectorconfig" {"rolearn" "string","provider" "eks anywhere"},"clientrequesttoken" "string","tags" {"string" "string"}} output parameter type description cluster object output field cluster cluster name string name of the resource cluster arn string output field cluster arn cluster createdat string output field cluster createdat cluster version string output field cluster version cluster endpoint string output field cluster endpoint cluster rolearn string output field cluster rolearn cluster resourcesvpcconfig object output field cluster resourcesvpcconfig cluster resourcesvpcconfig subnetids array unique identifier cluster resourcesvpcconfig securitygroupids array unique identifier cluster resourcesvpcconfig clustersecuritygroupid string unique identifier cluster resourcesvpcconfig vpcid string unique identifier cluster resourcesvpcconfig endpointpublicaccess boolean output field cluster resourcesvpcconfig endpointpublicaccess cluster resourcesvpcconfig endpointprivateaccess boolean output field cluster resourcesvpcconfig endpointprivateaccess cluster resourcesvpcconfig publicaccesscidrs array unique identifier cluster kubernetesnetworkconfig object output field cluster kubernetesnetworkconfig cluster kubernetesnetworkconfig serviceipv4cidr string unique identifier cluster kubernetesnetworkconfig serviceipv6cidr string unique identifier cluster kubernetesnetworkconfig ipfamily string output field cluster kubernetesnetworkconfig ipfamily cluster logging object output field cluster logging cluster logging clusterlogging array output field cluster logging clusterlogging cluster logging clusterlogging types array type of the resource cluster logging clusterlogging enabled boolean output field cluster logging clusterlogging enabled cluster identity object unique identifier cluster identity oidc object unique identifier output example {"cluster" {"name" "string","arn" "string","createdat" "datetime(2015, 1, 1)","version" "string","endpoint" "string","rolearn" "string","resourcesvpcconfig" {"subnetids" \[],"securitygroupids" \[],"clustersecuritygroupid" "string","vpcid" "string","endpointpublicaccess"\ true,"endpointprivateaccess"\ true,"publicaccesscidrs" \[]},"kubernetesnetworkconfig" {"serviceipv4cidr" "string","serviceipv6cidr" "string","ipfamily" "ipv4"},"logging" {"clusterlogging" \[]},"identity" {"oidc" {}},"status" "creating update cluster config updates an amazon eks cluster configuration, ensuring functionality during the process and providing an update id for status tracking endpoint method put input argument name type required description name string required the name of the amazon eks cluster to update resourcesvpcconfig object optional an object representing the vpc configuration to use for an amazon eks cluster resourcesvpcconfig subnetids array optional the subnets associated with your cluster resourcesvpcconfig securitygroupids array optional the security groups associated with your cluster resourcesvpcconfig endpointpublicaccess boolean optional indicates whether the amazon eks public api server endpoint is enabled resourcesvpcconfig endpointprivateaccess boolean optional indicates whether the amazon eks private api server endpoint is enabled resourcesvpcconfig publicaccesscidrs array optional the cidr blocks that are allowed access to your cluster's public api server endpoint logging object optional enable or disable exporting the kubernetes control plane logs for your cluster to cloudwatch logs logging clusterlogging array optional the cluster control plane logging configuration for your cluster logging clusterlogging types array optional the types of logs to enable logging clusterlogging enabled boolean optional indicates whether the logging types are enabled clientrequesttoken string optional a unique, case sensitive identifier that you provide to ensure the idempotency of the request accessconfig object optional the access configuration for the cluster accessconfig authenticationmode string optional the authentication mode for the cluster upgradepolicy object optional you can enable or disable extended support for clusters currently on standard support upgradepolicy supporttype string optional the support type for the cluster input example {"name" "string","resourcesvpcconfig" {"subnetids" \["string"],"securitygroupids" \["string"],"endpointpublicaccess"\ true,"endpointprivateaccess"\ true,"publicaccesscidrs" \["string"]},"logging" {"clusterlogging" \[{"types" \["api","audit","authenticator","controllermanager","scheduler"],"enabled"\ true}]},"clientrequesttoken" "string","accessconfig" {"authenticationmode" "api"},"upgradepolicy" {"supporttype" "standard"}} output parameter type description update object date value update id string unique identifier update status string status value update type string type of the resource update params array output field update params update params type string type of the resource update params value string value for the parameter update createdat string output field update createdat update errors array error message if any update errors errorcode string error message if any update errors errormessage string response message update errors resourceids array unique identifier output example {"update" {"id" "string","status" "inprogress","type" "versionupdate","params" \[{}],"createdat" "2015 01 01t00 00 00z","errors" \[{}]}} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt