Introduction
Amazon Elastic Kubernetes Service (EKS) provides a scalable and secure Kubernetes environment. While managing EKS nodes, administrators often need direct access for troubleshooting, debugging, or performing maintenance tasks. AWS Systems Manager (SSM) Session Manager offers a secure and seamless way to connect to EKS nodes without exposing them via SSH or managing key pairs.
This guide explains how to configure and use AWS Session Manager to connect to EKS worker nodes securely.
Prerequisites
Before connecting to AWS EKS nodes using Session Manager, ensure the following prerequisites are met:
- Amazon EKS Cluster: A running EKS cluster with worker nodes.
- AWS Systems Manager Agent (SSM Agent): Installed and running on the worker nodes.
- IAM Permissions: Proper IAM roles attached to the EKS nodes and user profiles.
- AWS CLI & kubectl: Installed and configured on the local machine.
Step 1: Attach IAM Permissions to EKS Nodes
To allow AWS Systems Manager to connect, the EKS worker nodes must have the appropriate IAM role.
- Navigate to the AWS Management Console → IAM → Roles.
- Select the role assigned to the EKS worker nodes.
- Attach the following policies:
- AmazonSSMManagedInstanceCore
- AmazonEC2RoleforSSM (if not already attached)
Alternatively, use the AWS CLI:
bash
aws iam attach-role-policy –role-name <EKS-Node-Role> –policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
Step 2: Verify SSM Agent on EKS Nodes
AWS Systems Manager Agent (SSM Agent) must be installed on each EKS worker node. Most Amazon Machine Images (AMIs) for EKS nodes come with the SSM Agent pre-installed. Verify its status with:
bash
aws ssm describe-instance-information
If the SSM Agent is not installed, install it manually using:
bash
sudo yum install -y amazon-ssm-agent
sudo systemctl enable amazon-ssm-agent
sudo systemctl start amazon-ssm-agent
Step 3: Enable AWS Systems Manager in EKS
To register EKS nodes with AWS Systems Manager, ensure they are listed as managed instances:
bash
aws ssm describe-instance-information
If the instances do not appear, restart the SSM Agent:
Bash
sudo systemctl restart amazon-ssm-agent
Step 4: Connect to an EKS Node Using Session Manager
Once the setup is complete, connect to an EKS worker node securely without SSH:
Using AWS CLI
bash
aws ssm start-session –target <instance-id>
Replace <instance-id> with the specific EKS node instance ID from EC2 > Instances in the AWS Console.
Using AWS Console
- Go to AWS Systems Manager → Session Manager.
- Click Start Session.
- Select the target EKS node.
- Click Start Session to open an interactive shell.
Step 5: Verify Connectivity
Once connected, verify node status and Kubernetes pod details using:
bash
kubectl get nodes
kubectl get pods -o wide
Benefits of Using AWS Session Manager for EKS
- Enhanced Security: No need for SSH keys or inbound port access.
- Audit Logging: Session logs can be stored in Amazon CloudWatch for monitoring.
- IAM-Based Access Control: Fine-grained permissions using AWS IAM policies.
- Seamless Connection: No need to manage bastion hosts or VPN configurations.
Conclusion
Connecting to AWS EKS worker nodes using AWS Systems Manager Session Manager improves security, reduces operational overhead, and enhances auditing capabilities. By following this guide, organizations can securely manage EKS nodes while adhering to best practices.