Credential access
Reads AWS credentials, kubeconfig, and IAM identity context.
brew
Use AWS IAM credentials to authenticate to Kubernetes. Version 0.7.18 via Homebrew; verified 2026-06-15.
agent safety
aws-iam-authenticator bridges AWS credentials into Kubernetes authentication.
Reads AWS credentials, kubeconfig, and IAM identity context.
Authentication is not mutation, but it enables subsequent Kubernetes writes.
Can unlock cluster access used by deployment tools.
Gate credential use and cluster context switching.
Allow identity inspection; require approval before enabling cluster access for mutating tools.
install
brew install aws-iam-authenticatorlocal Homebrew formula metadata
sudo port install aws-iam-authenticatorMacPorts ports tree · sysutils/aws-iam-authenticator/Portfile · source: api.github.com
nix profile install nixpkgs#aws-iam-authenticatornixpkgs package indexes · pkgs/by-name/aw/aws-iam-authenticator/package.nix · source: api.github.com
choco install aws-iam-authenticatorChocolatey community package catalog · aws-iam-authenticator · source: community.chocolatey.org
scoop install main/aws-iam-authenticatorScoop official bucket manifest trees · bucket/aws-iam-authenticator.json · source: api.github.com
winget install --id Kubernetes.aws-iam-authenticator -eWindows Package Manager source index · Kubernetes.aws-iam-authenticator · source: cdn.winget.microsoft.com
overview
Use AWS IAM credentials to authenticate to Kubernetes
history
AWS IAM Authenticator for Kubernetes is a Kubernetes authentication bridge that lets AWS IAM identities authenticate to Kubernetes clusters. It uses AWS STS GetCallerIdentity-signed tokens on the client side and maps IAM users, roles, or accounts to Kubernetes users and groups on the server side.
The repository README says the initial work was driven by Heptio and that the project receives community contributions while being maintained by Heptio and Amazon EKS OSS Engineers. The tool arose from the need to avoid a separate Kubernetes credential system for clusters whose administrators already manage AWS IAM credentials.
AWS's Open Source Blog described the 2018 community project as initially driven by Heptio, used by the Amazon EKS open source team as a starting point for mapping AWS IAM to Kubernetes RBAC, and donated to the Kubernetes Cloud Provider SIG. A 2019 AWS post described the renamed AWS IAM Authenticator and kops integration after the earlier Heptio Authenticator work.
The authenticator became important in the early Amazon EKS and Kubernetes-on-AWS ecosystem because it let kubectl authenticate through IAM rather than long-lived Kubernetes client certificates. AWS blog posts show it used for EKS, kops, LDAP/AD federation patterns, and self-managed Kubernetes clusters on AWS.
The official GitHub page shows a large project footprint for this batch's peer group, with roughly 2.3k stars, hundreds of forks, and more than 1,000 commits. Homebrew analytics showed 3,013 installs in 30 days, 9,650 in 90 days, and 35,664 in 365 days at the time of this batch, making it the dominant package in this batch by package-manager usage.
Cluster administrators run the server as a DaemonSet or integrate it with kops, configure the API server to use its token webhook kubeconfig, and define role/user mappings through a mounted config file, an EKS-style ConfigMap, or IAMIdentityMapping custom resources. Users then configure kubectl exec authentication to call `aws-iam-authenticator token` for a cluster ID.
The client token is based on a signed STS GetCallerIdentity request with the cluster ID in the request context. The README documents AWS profile selection through kubeconfig exec environment variables and maps roles/users/accounts to Kubernetes usernames and groups for RBAC.
For package nerds, aws-iam-authenticator is a canonical Kubernetes cloud-provider sidecar CLI: a single binary that lives at the boundary of kubectl exec plugins, AWS STS signing, kops, EKS, and Kubernetes SIG ownership. It is also a useful marker of the transition from early Heptio/EKS bootstrap tooling to more integrated Kubernetes authentication workflows.
security posture
infrastructure mutation or orchestration signal.
orange risk · medium confidence · infrastructure
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
local files
These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.
Config paths the tool may read or write during local use.
/etc/aws-iam-authenticator/config.yaml/etc/kubernetes/aws-iam-authenticator/kubeconfig.yamlCredential-bearing paths to review before unattended agent runs.
~/.aws/credentials~/.aws/config%USERPROFILE%\.aws\credentials%USERPROFILE%\.aws\configexecutables
| Command | Kind | Exposure | Note |
|---|---|---|---|
aws-iam-authenticator | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/kubernetes-sigs/aws-iam-authenticator
install metadata
| Package key | brew:aws-iam-authenticator |
|---|---|
| Version | 0.7.18 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/aws-iam-authenticator |
| Homepage | https://github.com/kubernetes-sigs/aws-iam-authenticator |
| Repository | https://github.com/kubernetes-sigs/aws-iam-authenticator |
| Upstream docs | https://github.com/kubernetes-sigs/aws-iam-authenticator#readme |
| License | Apache-2.0 |
| Source archive | https://github.com/kubernetes-sigs/aws-iam-authenticator/archive/refs/tags/v0.7.18.tar.gz |
| Last updated | 2026-06-15T21:06:25Z |
| Pulse | updated |
| Build dependencies | go |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | aws-iam-authenticator |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
aws-iam-authenticator
nix profile install nixpkgs#aws-iam-authenticatoraws-iam-authenticator
sudo port install aws-iam-authenticatoraws-iam-authenticator
choco install aws-iam-authenticatormain/aws-iam-authenticator
scoop install main/aws-iam-authenticatorKubernetes.aws-iam-authenticator
winget install --id Kubernetes.aws-iam-authenticator -esource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.