CloudQuery Platform
  • Introduction
    • Welcome to CloudQuery Platform
    • Getting Help
  • Quickstart
    • Creating a New Account
    • Platform Activation
  • Core Concepts
    • Integrations
    • Syncs
    • Filters & Queries
    • SQL Console
    • Reports
  • Integration Guides
    • Setting up an AWS Integration
    • Setting up an AWS Cost and Usage Integration
    • Setting up a GCP Integration
    • Setting up an Azure Integration
    • Setting up a GitHub Integration
    • Setting up a K8s Integration
      • Using AWS EKS
      • Using Azure AKS
      • Using GCP GKE
    • General Integration Setup Guide
    • General Destination Setup Guide
  • Syncs
    • Setting up a Sync
    • Monitoring Sync Status
  • Cloud insights
    • From cloud asset inventory to insights
      • Security-focused queries
      • Compliance-focused queries
      • FinOps-focused queries
  • Production Deployment
    • Enabling Single Sign-on (SSO)
      • Single Sign-On with Google
      • Single Sign-On with Microsoft
      • Single Sign-On with Okta
  • User Management
    • Platform Roles Overview
    • Workspace Roles Overview
  • Advanced Topics
    • Custom Columns
    • Understanding Platform Views
    • Performance Tuning
  • Reference
    • Search & Filter Query Syntax
  • API Reference
  • CLI Docs
  • CloudQuery Hub
Powered by GitBook
On this page
  • Prerequisites
  • Configure EKS Cluster Access
  • In the Target AWS Account (Account to Sync)
  • Creating K8s Integration

Was this helpful?

  1. Integration Guides
  2. Setting up a K8s Integration

Using AWS EKS

PreviousSetting up a K8s IntegrationNextUsing Azure AKS

Last updated 29 days ago

Was this helpful?

CloudQuery Platform currently supports integration with Amazon Elastic Kubernetes Service (EKS). This guide explains the required AWS account setup and configuration steps needed to enable CloudQuery to access your EKS clusters and run sync.

Prerequisites

In order for the CloudQuery Kubernetes source plugin to be able to sync resources from a given cluster, the API Server Endpoint of that cluster needs to be publicly available.

Before starting, configure this environment variable:

export TARGET_ACCOUNT_ID="<AWS target account>"

First, follow the to create the necessary roles and policies. This will establish the basic cross-account access needed for CloudQuery to interact with your AWS resources.

Configure EKS Cluster Access

In the Target AWS Account (Account to Sync)

  1. Create an IAM access entry for your EKS cluster:

aws eks create-access-entry \
    --cluster-name my-cluster \
    --principal-arn arn:aws:iam::${TARGET_ACCOUNT_ID}:role/cross-account-readonly-role \
    --type STANDARD
  1. Choose one of the following policies based on the level of access required:

Full Cluster View (recommended): Allows CloudQuery to sync all cluster resources.

aws eks associate-access-policy \
    --cluster-name my-cluster \
    --principal-arn arn:aws:iam::${TARGET_ACCOUNT_ID}:role/cross-account-readonly-role \
    --access-scope type=cluster \
    --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminViewPolicy
Restricted View

Note: If you choose this policy, most core cluster resources such as Nodes, RBAC Roles, and Secrets will not be synced.

If you don’t need access to these resources, you can use a more restrictive view policy instead:

aws eks associate-access-policy \
    --cluster-name my-cluster \
    --principal-arn arn:aws:iam::${TARGET_ACCOUNT_ID}:role/cross-account-readonly-role \
    --access-scope type=cluster \
    --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy

Creating K8s Integration

  1. Navigate to Data Pipelines → Integrations in CloudQuery Platform

  2. Click Create Integration and select K8s

  1. Update the YAML configuration with your cluster details:

kind: source
spec:
  name: k8s
  path: cloudquery/k8s
  version: v7.6.0 # latest version of source k8s plugin
  tables:
    - "*"
  spec:
    providers:
      - cluster: my-cluster
        aws:
          region: <cluster-region>
          role_arn: <target-role-arn>
          external_id: <target-role-external-id>

Note: Make sure to replace the placeholder values in the YAML document!

  • <cluster-region> is the region where your EKS cluster is hosted, such as us-east-1.

  • <target-role-arn> is the principal ARN used to assign policies during theConfigure EKS Cluster Accessstep.

<target-role-external-id> is the EXTERNAL_ID environment variable from .

AWS integration setup guide
AWS integration setup guide