atmos aws eks token

Generate a short-lived EKS bearer token for kubectl authentication. This command is designed as a kubectl exec credential plugin and is automatically configured in kubeconfig files generated by atmos auth login.

Usage

atmos aws eks token --cluster-name <name> --region <region> [flags]

Examples

# Generate token for a cluster (typically called by kubectl automatically)
atmos aws eks token --cluster-name my-cluster --region us-east-2

# Generate token using a specific identity
atmos aws eks token --cluster-name my-cluster --region us-east-2 --identity dev-admin

# Test token generation manually
atmos aws eks token --cluster-name dev-cluster --region us-west-2 | jq .

Arguments

n/a

No positional arguments.

Flags

--cluster-name (required)

The name of the EKS cluster to generate a token for. This must match the cluster name in AWS.

--region (required)

The AWS region where the EKS cluster is located.

--identity (alias -i)

Identity name to authenticate with for token generation. If omitted, Atmos uses the default identity (single identity auto-selected) or the ATMOS_IDENTITY environment variable.

How It Works

This command generates an EKS bearer token using the same mechanism as aws eks get-token, but without requiring the AWS CLI:

1. Atmos authenticates the specified identity to obtain AWS credentials
2. Creates a pre-signed STS GetCallerIdentity URL with the cluster name injected as the x-k8s-aws-id header
3. Base64url-encodes the URL and prefixes it with k8s-aws-v1.
4. Outputs the token as a Kubernetes ExecCredential JSON object to stdout

ExecCredential Output

The command outputs a JSON object that kubectl understands:

{
  "apiVersion": "client.authentication.k8s.io/v1beta1",
  "kind": "ExecCredential",
  "status": {
    "expirationTimestamp": "2025-01-15T12:15:00Z",
    "token": "k8s-aws-v1.aHR0cHM6Ly9zdHMu..."
  }
}

Kubeconfig Integration

When you authenticate with an identity that has an EKS integration, atmos auth login automatically generates a kubeconfig entry that uses this command as an exec credential plugin:

users:
  - name: atmos-eks-dev-admin
    user:
      exec:
        apiVersion: client.authentication.k8s.io/v1beta1
        command: atmos
        args:
          - aws
          - eks
          - token
          - --cluster-name
          - dev-cluster
          - --region
          - us-east-2
          - --identity
          - dev-admin

This means kubectl automatically calls atmos aws eks token whenever it needs a fresh token, providing seamless authentication without manual token management.

Notes

• Tokens expire after approximately 15 minutes (AWS-enforced STS pre-signed URL expiration)
• This command is designed to be called by kubectl, not manually
• The command suppresses usage errors since kubectl invokes it automatically
• Required IAM permission: sts:GetCallerIdentity (typically allowed by default)
• The token is generated locally using a pre-signed URL; no EKS API calls are made

See Also

• Auth Login Command — Authenticate with identities and auto-provision kubeconfig
• EKS Kubeconfig Authentication Tutorial — Step-by-step EKS setup guide
• AWS EKS Update Kubeconfig — Download kubeconfig from EKS clusters
• Auth Configuration — Configure providers, identities, and integrations