Passwordless Access for Amazon EKS
Configure AWS AssumeRole and JFrog Registry Operator for passwordless EKS cluster authentication without stored secrets.
JFrog Credentials Provider
Introduced a new Kubernetes kubelet credential provider for Amazon EKS, Azure AKS, and Google GKE that enables seamless, passwordless authentication with JFrog Artifactory for container image pulls, eliminating the need for manual image pull secret management.
For more information, see JFrog Credentials Provider.
JFrog Platform can leverage AWS AssumeRole to provide passwordless access in Amazon EKS. AssumeRole authentication lets AWS users apply their assigned roles to create temporary authentication tokens for the JFrog Platform.
AWS AssumeRole returns a set of temporary credentials (an access key ID, a secret access key, and a session token) that grant access to AWS resources. These short-lived credentials are stored in the Docker repository.
Passwordless access with AWS AssumeRole lets you download and upload artifacts from a Docker repository without creating, rotating, or storing secrets. Non-refreshable short-lived tokens handle image pulls and pushes, and no admin master keys are exposed for rotation.
The system never sends your secret access key. It uses AWS SigV4A capabilities instead. No AWS secrets leave the EKS system.
You must provision permissions in the EKS cluster before you proceed with the configuration.
The JFrog Registry Operator supports two authentication mechanisms for obtaining AWS credentials:
- IRSA (IAM Roles for Service Accounts): Uses an OIDC identity provider and an
eks.amazonaws.com/role-arnannotation on the Kubernetes ServiceAccount. Setspec.authType: webIdentityin the SecretRotator CR. - EKS Pod Identity: Uses the EKS Pod Identity Agent and an EKS API association instead of an OIDC provider. No ServiceAccount annotation is required. Set
spec.authType: podIdentityin the SecretRotator CR.
| Topic | IRSA | EKS Pod Identity |
|---|---|---|
| Where mapping lives | SA annotation eks.amazonaws.com/role-arn + IAM OIDC trust | EKS API association (cluster, namespace, SA name) → role ARN |
| Trust principal | OIDC provider + sts:AssumeRoleWithWebIdentity | pods.eks.amazonaws.com + sts:AssumeRole / sts:TagSession |
| Injected pod env vars | AWS_ROLE_ARN, AWS_WEB_IDENTITY_TOKEN_FILE | AWS_CONTAINER_CREDENTIALS_FULL_URI, AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE |
| SA annotation required? | Yes | No |
spec.authType value | webIdentity | podIdentity or auto |
AWS EKS Requirements
The minimum EC2 node requirement in the cluster is t2.medium and higher.
To configure passwordless access, complete the following tasks.
Follow one of the following methods:
- For a single-step installation, follow the Terraform approach to set up a complete JFrog Registry Operator.
or
IRSA (webIdentity)
- EKS Cluster Configuration with AWS Policy and IAM Role
- Platform Passwordless Access Configuration for EKS
- Registry Operator Installation in EKS
EKS Pod Identity (podIdentity)
Permissions for Passwordless Access to EKS Cluster
The Helm charts for the JFrog Registry operator create the required permissions in the EKS cluster before you continue with the configuration process.
EKS Cluster Configuration with AWS Policy and IAM Role
Configure an Amazon EKS cluster with the required AWS IAM policy and role to enable passwordless access for JFrog Platform services running in Kubernetes.
Platform Passwordless Access Configuration for EKS
Configure the JFrog Platform with the information required after completing the passwordless access configuration in the EKS platform.
Registry Operator Installation in EKS
Install the JFrog Registry Operator in an Amazon EKS cluster to enable passwordless authentication between Kubernetes workloads and JFrog Artifactory.
EKS Pod Identity Configuration
Install the EKS Pod Identity Agent, configure IAM trust for pods.eks.amazonaws.com, create Pod Identity associations, and deploy the operator with authType: podIdentity.
Updated 10 days ago