# atmos aws eks token Generate a short-lived EKS bearer token for kubectl authentication. This command is designed as a kubectl exec credential plugin and is automatically configured in kubeconfig files generated by `atmos auth login`. ## Usage ```shell atmos aws eks token --cluster-name --region [flags] ``` ## Examples ```shell # Generate token for a cluster (typically called by kubectl automatically) atmos aws eks token --cluster-name my-cluster --region us-east-2 # Generate token using a specific identity atmos aws eks token --cluster-name my-cluster --region us-east-2 --identity dev-admin # Test token generation manually atmos aws eks token --cluster-name dev-cluster --region us-west-2 | jq . ``` ## Arguments - **n/a** No positional arguments. ## Flags - **`--cluster-name` (required)** The name of the EKS cluster to generate a token for. This must match the cluster name in AWS. - **`--region` (required)** The AWS region where the EKS cluster is located. - **`--identity` (alias `-i`)** Identity name to authenticate with for token generation. If omitted, Atmos uses the default identity (single identity auto-selected) or the `ATMOS_IDENTITY` environment variable. ## How It Works This command generates an EKS bearer token using the same mechanism as `aws eks get-token`, but without requiring the AWS CLI: 1. Atmos authenticates the specified identity to obtain AWS credentials 2. Creates a pre-signed STS `GetCallerIdentity` URL with the cluster name injected as the `x-k8s-aws-id` header 3. Base64url-encodes the URL and prefixes it with `k8s-aws-v1.` 4. Outputs the token as a Kubernetes `ExecCredential` JSON object to stdout ### ExecCredential Output The command outputs a JSON object that kubectl understands: ```json { "apiVersion": "client.authentication.k8s.io/v1beta1", "kind": "ExecCredential", "status": { "expirationTimestamp": "2025-01-15T12:15:00Z", "token": "k8s-aws-v1.aHR0cHM6Ly9zdHMu..." } } ``` ### Kubeconfig Integration When you authenticate with an identity that has an EKS integration, `atmos auth login` automatically generates a kubeconfig entry that uses this command as an exec credential plugin: ```yaml users: - name: atmos-eks-dev-admin user: exec: apiVersion: client.authentication.k8s.io/v1beta1 command: atmos args: - aws - eks - token - --cluster-name - dev-cluster - --region - us-east-2 - --identity - dev-admin ``` This means kubectl automatically calls `atmos aws eks token` whenever it needs a fresh token, providing seamless authentication without manual token management. ## Notes - Tokens expire after approximately 15 minutes (AWS-enforced STS pre-signed URL expiration) - This command is designed to be called by kubectl, not manually - The command suppresses usage errors since kubectl invokes it automatically - Required IAM permission: `sts:GetCallerIdentity` (typically allowed by default) - The token is generated locally using a pre-signed URL; no EKS API calls are made ## See Also - [Auth Login Command](/cli/commands/auth/login) — Authenticate with identities and auto-provision kubeconfig - [EKS Kubeconfig Authentication Tutorial](/tutorials/eks-kubeconfig-authentication) — Step-by-step EKS setup guide - [AWS EKS Update Kubeconfig](/cli/commands/aws/eks/update-kubeconfig) — Download kubeconfig from EKS clusters - [Auth Configuration](/cli/configuration/auth) — Configure providers, identities, and integrations