@shinyaz

EKS access entries and access policies are separate — you need both

1 min read
#aws#eks#kubernetes#iam

When creating an EKS ArgoCD Capability, an access entry for the IAM role gets auto-created. I assumed that meant permissions were good to go and tried deploying an Application. Sync failed.

The issue: access entries (who can access the cluster) and access policies (what they can do) are independent. The auto-created entry only has baseline Kubernetes permissions—no resource deployment rights.

# Access entry exists (auto-created)
aws eks describe-access-entry \
  --cluster-name sandbox \
  --principal-arn arn:aws:iam::111122223333:role/ArgoCDCapabilityRole
 
# Not enough. Must associate a policy separately
aws eks associate-access-policy \
  --cluster-name sandbox \
  --principal-arn arn:aws:iam::111122223333:role/ArgoCDCapabilityRole \
  --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy \
  --access-scope type=cluster

It's similar to IAM roles vs policies. In EKS access management, don't assume an entry existing means permissions are in place—always verify the associated policy.

Share this post

Shinya Tahara

Shinya Tahara

Solutions Architect @ AWS

I'm a Solutions Architect at AWS, providing technical guidance primarily to financial industry customers. I share learnings about cloud architecture and AI/ML on this blog.

Read more