---
title: Configuring AWS Elastic Kubernetes Service (Amazon EKS) access
description: The steps to configure your Amazon EKS clusters to allow access management through the PingOne Privilege platform.
component: privilege
page_id: privilege:configuration:configuring-kubernetes-access/aws-eks
canonical_url: https://docs.pingidentity.com/privilege/configuration/configuring-kubernetes-access/aws-eks.html
revdate: May 4, 2026
section_ids:
  onboard-the-cluster-in-pingone-privilege: Onboard the cluster in PingOne Privilege
  additional-considerations: Additional considerations
  private-clusters: Private clusters
  default-permissions: Default permissions
---

# Configuring AWS Elastic Kubernetes Service (Amazon EKS) access

After you onboard an AWS account to PingOne Privilege, you can manage access to your EKS clusters and namespaces at a granular level.

|   |                                                                                                                                                                                      |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|   | If an EKS cluster is configured to use the EKS API for authentication in combination with the `aws-auth` ConfigMap, PingOne Privilege automatically falls back to using the EKS API. |

## Onboard the cluster in PingOne Privilege

1. In the PingOne Privilege admin console, on your AWS account's **Resource** tab, click **Rescan**.

2. After the rescan completes, go to **Targets**.

3. Find the newly discovered cluster, click **More Info**, and enable the **Manage** toggle to onboard it. For more details, see [Onboarding target resources](../../privileged-access-management/admin-tasks/cloud-accounts.html#onboarding-target-resources).

## Additional considerations

### Private clusters

If your EKS cluster is in a private VPC with no inbound internet access, you must deploy a PingOne Privilege gateway or relay within the same VPC. Learn more in [Configure network infrastructure](../network-infrastructure.html).

### Default permissions

By default, an administrative user is granted the `ProcyonKubeCtlView` permission. After connecting to PingOne Privilege using the agent, the user's Kubernetes context will be automatically available in their local `~/.kube/config` file.