Passwordless Access for Amazon EKS

📘
Introduced a new Kubernetes kubelet credential provider for Amazon EKS, Azure AKS and Google GKE that enables seamless, passwordless authentication with JFrog Artifactory for container image pulls, eliminating the need for manual image pull secret management.
For more information, see JFrog Credentials Provider.

JFrog Platform can leverage AWS AssumeRole to provide a passwordless access experience in Amazon EKS. AssumeRole authentication allows AWS users to use roles assigned to them to create temporary authentication tokens that can be used in the JFrog Platform.

AWS AssumeRole includes a set of temporary credentials that grant access to AWS resources that you might not have access to otherwise. These temporary credentials consist of an access key ID, a secret access key, and a session token. These short-lived secrets are stored in the Docker repository.

When you configure passwordless access with AWS AssumeRole, you enable the download and upload of artifacts from a Docker repository without the need to create and rotate secrets, or store these secrets in the Docker repository. Using this process improves Docker repository security by using non-refreshable short-lived tokens to pull and push docker images, without exposing any admin master keys for rotation. The system does not send your secret access key at any time and instead uses AWS SigV4A capabilities. No AWS secrets are sent outside of the EKS system.

You must provision permissions in the EKS cluster before you proceed with the configuration.

AWS EKS Requirements

The minimum EC2 node requirement in the cluster is t2.medium and higher.

To configure the password access, you must complete the following tasks.

**Follow one of the following methods:**

For a single-step installation, follow the Terraform approach to set up a complete JFrog Registry Operator.