This assumes you have setup Terraform as described in Amazon Web Services (AWS) - Getting Started with Terraform.
This is similar to using the aws eks get-token command to return the authentication token.
~]$ aws eks get-token --cluster-name my-cluster
{"kind": "ExecCredential", "apiVersion": "client.authentication.k8s.io/v1alpha1", "spec": {}, "status": {"expirationTimestamp": "2023-10-23T20:29:08Z", "token": "k8s-aws-v1.aHR0....zljYw"}}
Let's say you have the following files on your Terraform server.
├── required_providers.tf
├── elastic_kubernetes_service (directory)
│ ├── provider.tf
required_providers.tf will almost always have something like this.
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
}
kubernetes = {
source = "hashicorp/kubernetes"
}
kubectl = {
source = "gavinbunney/kubectl"
}
helm = {
source = "hashicorp/helm"
}
}
}
Let's say provider.tf has the following. In this example, the "default" profile in /home/username/.aws/config and /home/username/.aws/credentials is being used. This assumes you have setup Terraform as described in Amazon Web Services (AWS) - Getting Started with Terraform.
data "aws_eks_cluster" "cluster" {
name = "my-cluster"
}
data "aws_eks_cluster_auth" "cluster_auth" {
name = "my-cluster"
}
provider "aws" {
alias = "default"
profile = "default"
region = "default"
}
provider "kubernetes" {
host = "https://123456789ABCDEFG123456789ABCDEFG.gr7.us-east-1.eks.amazonaws.com"
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data)
token = data.aws_eks_cluster_auth.cluster_auth.token
}
provider "kubectl" {
host = "https://123456789ABCDEFG123456789ABCDEFG.gr7.us-east-1.eks.amazonaws.com"
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data)
token = data.aws_eks_cluster_auth.cluster_auth.token
}
provider "helm" {
host = "https://123456789ABCDEFG123456789ABCDEFG.gr7.us-east-1.eks.amazonaws.com"
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data)
token = data.aws_eks_cluster_auth.cluster_auth.token
}
Or, instead of using the aws_eks_cluster_auth data source, you can try using the provider exec plugin which basically uses the aws eks get-token command to return the authentication token.
provider "kubernetes" {
host = "https://8746F2F1BD0F0832B2D22B5E137F35C3.gr7.us-east-2.eks.amazonaws.com"
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data)
exec {
api_version = "client.authentication.k8s.io/v1beta1"
args = ["eks", "get-token", "--cluster-name", "my-cluster", "--profile", "johndoe", "--region", "us-east-1"]
command = "aws"
}
}
The terraform plan command can be used to see what Terraform will try to do.
terraform plan
The terraform apply command should return something like this, where the token was successfully obtained and you are authenticated to your EKS cluster.
~]$ terraform apply -auto-approve
data.aws_eks_cluster_auth.cluster_auth: Reading...
data.aws_eks_cluster_auth.cluster_auth: Read complete after 0s [id=my-cluster]
And the terraform.tfstate file should have the token.
{
"resources": [
{
"mode": "data",
"type": "aws_eks_cluster_auth",
"name": "cluster_auth",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "my-cluster",
"name": "my-cluster",
"token": "k8s-aws-v1.aHR0cH.....hNWExOQ"
},
"sensitive_attributes": []
}
]
}
Did you find this article helpful?
If so, consider buying me a coffee over at 