Automic VaultAutomic Vault

brew

Install aws-iam-authenticator with Homebrew, chocolatey, MacPorts, Nix, scoop, winget

Use AWS IAM credentials to authenticate to Kubernetes. Version 0.7.18 via Homebrew; verified 2026-06-15.

agent safety

Agent safety answer

aws-iam-authenticator bridges AWS credentials into Kubernetes authentication.

Credential access

Reads AWS credentials, kubeconfig, and IAM identity context.

Remote mutation

Authentication is not mutation, but it enables subsequent Kubernetes writes.

Publish/artifact risk

Can unlock cluster access used by deployment tools.

Recommended control

Gate credential use and cluster context switching.

Agent-use guidance

Allow identity inspection; require approval before enabling cluster access for mutating tools.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install aws-iam-authenticator

local Homebrew formula metadata

MacPortsverified · 94%
sudo port install aws-iam-authenticator

MacPorts ports tree · sysutils/aws-iam-authenticator/Portfile · source: api.github.com

Linux

Nixverified · 92%
nix profile install nixpkgs#aws-iam-authenticator

nixpkgs package indexes · pkgs/by-name/aw/aws-iam-authenticator/package.nix · source: api.github.com

Windows

Chocolateyverified · 92%
choco install aws-iam-authenticator

Chocolatey community package catalog · aws-iam-authenticator · source: community.chocolatey.org

Scoopverified · 92%
scoop install main/aws-iam-authenticator

Scoop official bucket manifest trees · bucket/aws-iam-authenticator.json · source: api.github.com

Windows Package Managerverified · 92%
winget install --id Kubernetes.aws-iam-authenticator -e

Windows Package Manager source index · Kubernetes.aws-iam-authenticator · source: cdn.winget.microsoft.com

overview

Package summary

Use AWS IAM credentials to authenticate to Kubernetes

Commands and aliases

  • aws-iam-authenticator

history

Project history and usage

AWS IAM Authenticator for Kubernetes is a Kubernetes authentication bridge that lets AWS IAM identities authenticate to Kubernetes clusters. It uses AWS STS GetCallerIdentity-signed tokens on the client side and maps IAM users, roles, or accounts to Kubernetes users and groups on the server side.

Project history

The repository README says the initial work was driven by Heptio and that the project receives community contributions while being maintained by Heptio and Amazon EKS OSS Engineers. The tool arose from the need to avoid a separate Kubernetes credential system for clusters whose administrators already manage AWS IAM credentials.

AWS's Open Source Blog described the 2018 community project as initially driven by Heptio, used by the Amazon EKS open source team as a starting point for mapping AWS IAM to Kubernetes RBAC, and donated to the Kubernetes Cloud Provider SIG. A 2019 AWS post described the renamed AWS IAM Authenticator and kops integration after the earlier Heptio Authenticator work.

Adoption history

The authenticator became important in the early Amazon EKS and Kubernetes-on-AWS ecosystem because it let kubectl authenticate through IAM rather than long-lived Kubernetes client certificates. AWS blog posts show it used for EKS, kops, LDAP/AD federation patterns, and self-managed Kubernetes clusters on AWS.

The official GitHub page shows a large project footprint for this batch's peer group, with roughly 2.3k stars, hundreds of forks, and more than 1,000 commits. Homebrew analytics showed 3,013 installs in 30 days, 9,650 in 90 days, and 35,664 in 365 days at the time of this batch, making it the dominant package in this batch by package-manager usage.

How it is used

Cluster administrators run the server as a DaemonSet or integrate it with kops, configure the API server to use its token webhook kubeconfig, and define role/user mappings through a mounted config file, an EKS-style ConfigMap, or IAMIdentityMapping custom resources. Users then configure kubectl exec authentication to call `aws-iam-authenticator token` for a cluster ID.

The client token is based on a signed STS GetCallerIdentity request with the cluster ID in the request context. The README documents AWS profile selection through kubeconfig exec environment variables and maps roles/users/accounts to Kubernetes usernames and groups for RBAC.

Why package nerds care

For package nerds, aws-iam-authenticator is a canonical Kubernetes cloud-provider sidecar CLI: a single binary that lives at the boundary of kubectl exec plugins, AWS STS signing, kops, EKS, and Kubernetes SIG ownership. It is also a useful marker of the transition from early Heptio/EKS bootstrap tooling to more integrated Kubernetes authentication workflows.

Timeline

  • 2018: AWS Open Source Blog describes aws-iam-authenticator as an initially Heptio-driven community project used by the Amazon EKS open source team.
  • 2019: AWS posts updated kops deployment guidance for AWS IAM Authenticator after the Heptio Authenticator donation to Cloud Provider SIG.
  • 2026: Homebrew formula metadata packages aws-iam-authenticator v0.7.18.

Related projects

  • Heptio Authenticator: the earlier name/history described by AWS blog posts.
  • Amazon EKS: a major adoption driver for IAM-backed Kubernetes authentication.
  • kops: Kubernetes-on-AWS cluster tooling with integration guidance for the authenticator.

security posture

Risk level: orange

infrastructure mutation or orchestration signal.

Risk classifier

orange risk · medium confidence · infrastructure

Why

  • infrastructure mutation or orchestration signal

Signals

  • text:kubernetes

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Configuration files

Config paths the tool may read or write during local use.

Unix
/etc/aws-iam-authenticator/config.yaml/etc/kubernetes/aws-iam-authenticator/kubeconfig.yaml

Credential files

Credential-bearing paths to review before unattended agent runs.

Unix
~/.aws/credentials~/.aws/config
Windows
%USERPROFILE%\.aws\credentials%USERPROFILE%\.aws\config

executables

Installed executables

CommandKindExposureNote
aws-iam-authenticatorcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version0.7.18
manager updated2026-06-15
local dataok
upstreamcurrent
latest detectedv0.7.18

https://github.com/kubernetes-sigs/aws-iam-authenticator

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:aws-iam-authenticator
Version0.7.18
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/aws-iam-authenticator
Homepagehttps://github.com/kubernetes-sigs/aws-iam-authenticator
Repositoryhttps://github.com/kubernetes-sigs/aws-iam-authenticator
Upstream docshttps://github.com/kubernetes-sigs/aws-iam-authenticator#readme
LicenseApache-2.0
Source archivehttps://github.com/kubernetes-sigs/aws-iam-authenticator/archive/refs/tags/v0.7.18.tar.gz
Last updated2026-06-15T21:06:25Z
Pulseupdated
Build dependenciesgo
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Nameaws-iam-authenticator
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

aws-iam-authenticator

nix profile install nixpkgs#aws-iam-authenticator
  • normalized package name match
  • Matched by: Aws Iam Authenticator
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/aw/aws-iam-authenticator/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
MacPorts95%

aws-iam-authenticator

sudo port install aws-iam-authenticator
  • normalized package name match
  • Matched by: Aws Iam Authenticator
MacPorts ports tree · api.github.com · MacPorts ports tree: sysutils/aws-iam-authenticator/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
Chocolatey95%

aws-iam-authenticator

choco install aws-iam-authenticator
  • normalized package name match
  • Matched by: Aws Iam Authenticator
Chocolatey community package catalog · community.chocolatey.org · Chocolatey community package catalog: aws-iam-authenticator from http://community.chocolatey.org/api/v2/Packages?$filter=IsLatestVersion&$select=Id&$top=1000&$skiptoken='11','autodesk-fusion360'
Scoop95%

main/aws-iam-authenticator

scoop install main/aws-iam-authenticator
  • normalized package name match
  • Matched by: Aws Iam Authenticator
Scoop official bucket manifest trees · api.github.com · Scoop official bucket manifest trees: bucket/aws-iam-authenticator.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1
winget95%

Kubernetes.aws-iam-authenticator

winget install --id Kubernetes.aws-iam-authenticator -e
  • normalized package name match
  • Matched by: Aws Iam Authenticator
Windows Package Manager source index · cdn.winget.microsoft.com · Windows Package Manager source index: Kubernetes.aws-iam-authenticator from https://cdn.winget.microsoft.com/cache/source.msix

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated agent safety answer
  • curated configuration and credential file locations
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment