
Amazon EKS
Amazon Web Services- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
Integrates with Amazon Elastic Kubernetes Service (EKS) to inventory
EKS clusters and their managed node groups across every configured AWS account and region. The
connector lists clusters (ListClusters) and describes each one (DescribeCluster), then lists the
node groups per cluster (ListNodegroups) and describes each (DescribeNodegroup), emitting one
Brinqa object per cluster and per node group.
Data retrieved from Amazon EKS
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| EKS Cluster | Yes | Cloud Resource |
| EKS Nodegroup | Yes | Cloud Resource |
For detailed steps on how to view the data retrieved from Amazon EKS in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select Amazon EKS from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| Access key ID | No | — | AWS user access key ID, if not specified, the connector consults the default credentials provider chain to try and determine the \ |
| Secret access key | No | — | AWS user secret access key, if not specified, the connector consults the default credentials provider chain to try and determine the \ |
| Default region | No | us-east-1 | Default AWS region, if not specified, the connector consults the default region provider chain to try and determine the region to use. |
| Assume role | No | — | Amazon Resource Name for the role to assume. |
| Session duration | No | 900 | Assume role session duration in seconds. |
| Page size | No | 100 | The maximum number of results to retrieve per operation. |
Authentication
Authentication is shared across the AWS connector bundle via the AwsConfiguration base class. The
EKS sub-connector uses the AWS SDK for Java v2 EksClient, which signs every request with AWS SigV4
using credentials resolved through the following chain (in order):
- STS AssumeRole — if
assumeRoleARNis configured, the connector assumes that role (using the credentials below as the principal) and uses the resulting temporary session credentials. - Static access keys — if
accessKey/secretKeyare configured, they are used directly. - Default credentials provider chain — environment variables,
~/.aws/credentials, container role, or EC2 instance metadata.
Assumed-role sessions use the configurable sessionDuration (default 900 s) with a unique session
name per sync. assumeRoleARN may be a comma-separated list to sync multiple accounts in one run.
A separate EksClient is constructed per role per region and closed when that region has been fully
synced.
Required AWS API permissions
| Permission | Purpose |
|---|---|
eks:ListClusters | List and page through cluster names. |
eks:DescribeCluster | Read full cluster configuration. |
eks:ListNodegroups | List and page through node group names per cluster. |
eks:DescribeNodegroup | Read full node group configuration. |
ec2:DescribeRegions | Discover the set of regions to query when no explicit region/regions option is supplied. |
sts:AssumeRole | Only when assumeRoleARN is set. |
How to obtain Amazon EKS credentials
Create an IAM user for AWS access
For the Amazon EKS connector to interact with the AWS SDK and retrieve data, you must provide specific AWS credentials and permissions. To create an IAM user, follow these steps:
-
Log in to your organization's AWS Management Console as an administrator.
-
Navigate to the Identity and Access Management (IAM) dashboard.
-
From the navigation pane under Access management, click Users, and then click Create user.
-
Provide a User name, leave the Provide user access to AWS Management Console option unchecked, and then click Next.
-
Click the Attach policies directly option and then click Create policy.
-
Click the JSON tab and paste the following minimum required policy:
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": ["eks:ListClusters","eks:DescribeCluster","eks:ListNodegroups","eks:DescribeNodegroup"],"Resource": "*"}]} -
Click Next, provide a name for the policy, and then click Create policy.
-
Back on the Add permissions page, search for and select the policy you just created, and then click Next.
-
Click Create user.
Obtain access keys
After you have created an IAM user, generate the access keys that are required for the connector. To do so, follow these steps:
-
Navigate to the IAM dashboard.
-
From the navigation pane under Access management, click Users.
-
Choose the IAM user you created in the earlier steps.
-
Click the Security credentials tab and then click Create access key.
-
Select the Application running outside AWS use case and then click Next.
-
Provide a description and then click Create access key.
The access key ID and secret access key display. The secret access key is shown only once and cannot be retrieved again, so copy the key and save it to a secure location.
Note: If you do not have the permissions to create access keys, contact your AWS administrator. For additional information, see AWS documentation.
The connector authenticates using the AWS SDK's credential resolution chain. If an assume-role ARN is configured, the connector assumes that IAM role using the provided credentials. Otherwise, it uses the provided access keys directly, falling back to the AWS Default Credential Provider Chain (environment variables, ~/.aws/credentials, or EC2 instance metadata).
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
EKS Cluster
| Source Field Name | SDM Attribute |
|---|---|
Cluster.arn | UID |
Cluster.arn | ARN |
Cluster.createdAt | FIRST_SEEN |
Cluster.endpoint | ENDPOINT |
Cluster.identity().oidc().issuer | OIDC_ISSUER |
Cluster.name | CLUSTER_NAME |
Cluster.name (falls back to arn) | NAME |
Cluster.platformVersion | PLATFORM_VERSION |
Cluster.resourcesVpcConfig().clusterSecurityGroupId | CLUSTER_SECURITY_GROUP_ID |
Cluster.resourcesVpcConfig().endpointPrivateAccess | ENDPOINT_PRIVATE_ACCESS |
Cluster.resourcesVpcConfig().endpointPublicAccess | ENDPOINT_PUBLIC_ACCESS |
Cluster.resourcesVpcConfig().publicAccessCidrs | PUBLIC_ACCESS_CIDRS (multivalued) |
Cluster.resourcesVpcConfig().securityGroupIds | SECURITY_GROUP_IDS (multivalued) |
Cluster.resourcesVpcConfig().subnetIds | SUBNET_IDS (multivalued) |
Cluster.resourcesVpcConfig().vpcId | VPC_ID |
Cluster.roleArn | CLUSTER_ROLE_ARN |
Cluster.statusAsString | SOURCE_STATUS |
Cluster.tags as key:value | TAGS (multivalued) |
Cluster.version | VERSION |
| Constant "AWS" | CLOUD_PROVIDER |
Derived: endpointPublicAccess == true AND publicAccessCidrs contains 0.0.0.0/0 | PUBLIC_OPEN_TO_INTERNET |
| Iteration region | REGION |
Sync timestamp (Instant.now()) | LAST_CAPTURED |
EKS Nodegroup
| Source Field Name | SDM Attribute |
|---|---|
| Constant "AWS" | CLOUD_PROVIDER |
| Iteration region | REGION |
Nodegroup.amiTypeAsString | AMI_TYPE |
Nodegroup.capacityTypeAsString | CAPACITY_TYPE |
Nodegroup.clusterName | CLUSTER_NAME |
Nodegroup.createdAt | FIRST_SEEN |
Nodegroup.diskSize | DISK_SIZE_GIB |
Nodegroup.instanceTypes | INSTANCE_TYPES (multivalued) |
Nodegroup.modifiedAt | SOURCE_LAST_MODIFIED |
Nodegroup.nodegroupArn | UID |
Nodegroup.nodegroupArn | NODEGROUP_ARN |
Nodegroup.nodegroupName | NODEGROUP_NAME |
Nodegroup.nodegroupName (falls back to nodegroupArn) | NAME |
Nodegroup.nodeRole | NODE_ROLE_ARN |
Nodegroup.releaseVersion | RELEASE_VERSION |
Nodegroup.scalingConfig().desiredSize | SCALING_DESIRED |
Nodegroup.scalingConfig().maxSize | SCALING_MAX |
Nodegroup.scalingConfig().minSize | SCALING_MIN |
Nodegroup.statusAsString | SOURCE_STATUS |
Nodegroup.subnets | SUBNET_IDS (multivalued) |
Nodegroup.tags as key:value | TAGS (multivalued) |
Nodegroup.version | VERSION |
Sync timestamp (Instant.now()) | LAST_CAPTURED |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
EKS Cluster
Operation options
| Option | Type | Default | Description |
|---|---|---|---|
region / regions | Comma-separated list of regions to query (one client per region). | Discovered via ec2:DescribeRegions | |
pageSize | maxResults page size for each ListClusters call. | Shared pageSize configuration (100) | |
parallelismLevel | Number of parallel worker threads. | min(4, CPU cores) | No |
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: AWS SDK for Java v2 (
EksClient) · Endpoint:eks:ListClusters
EKS Nodegroup
Operation options
| Option | Type | Default | Description |
|---|---|---|---|
region / regions | Comma-separated list of regions to query (one client per region). | Discovered via ec2:DescribeRegions | |
pageSize | maxResults page size for ListClusters / ListNodegroups calls. | Shared pageSize configuration (100) |
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: AWS SDK for Java v2 (
EksClient) · Endpoint:eks:ListClusters
Changelog
The Amazon EKS connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.2.1 | No changes in this release. | N/A |
| 3.2.0 | No changes in this release. | N/A |
| 3.1.0 | New Features - New connector — syncs EKS clusters and node groups. Clusters include a derived flag indicating when the public endpoint is exposed to the open internet. Improvements - Sync failures are now visible. Previously, certain AWS API errors (throttling, server errors, transient network failures, validation errors) could be silently swallowed during multi-region sync, producing empty results without indicating a problem. These now surface as sync failures with a clear log entry detailing the HTTP status, AWS error code, request id, and service name. Per-region permission gaps (HTTP 401 / 403) still allow the sync to continue across other regions, but are now visible in logs. | N/A |