AWS EKS
CloudQuery Platform supports integration with Amazon Elastic Kubernetes Service (EKS). To sync EKS clusters, configure cross-account access and create an access entry for each cluster.
Prerequisites
- A CloudQuery Platform account with admin access
- AWS CLI installed and configured
- An existing AWS integration configured in CloudQuery Platform (this creates the
cross-account-readonly-rolereferenced below) - One or more EKS clusters running in your AWS account
The API server endpoint of your EKS cluster must be publicly available for the CloudQuery Kubernetes integration to sync resources. Private-only endpoints are not supported.
Before starting, set this environment variable:
export TARGET_ACCOUNT_ID="<YOUR_AWS_ACCOUNT_ID>"Configure EKS cluster access
In the target AWS account, create an IAM access entry and assign an access policy to your EKS cluster.
- Create an IAM access entry for your EKS cluster:
aws eks create-access-entry \
--cluster-name <YOUR_CLUSTER_NAME> \
--principal-arn arn:aws:iam::${TARGET_ACCOUNT_ID}:role/cross-account-readonly-role \
--type STANDARD- Choose one of the following policies based on the level of access required:
Full cluster view (recommended): Allows CloudQuery to sync all cluster resources.
aws eks associate-access-policy \
--cluster-name <YOUR_CLUSTER_NAME> \
--principal-arn arn:aws:iam::${TARGET_ACCOUNT_ID}:role/cross-account-readonly-role \
--access-scope type=cluster \
--policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminViewPolicyRestricted view
If you choose this policy, most core cluster resources such as Nodes, RBAC Roles, and Secrets will not be synced.
If you don’t need access to these resources, you can use a more restrictive view policy:
aws eks associate-access-policy \
--cluster-name <YOUR_CLUSTER_NAME> \
--principal-arn arn:aws:iam::${TARGET_ACCOUNT_ID}:role/cross-account-readonly-role \
--access-scope type=cluster \
--policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicyCreating the K8s integration
- Navigate to Data Pipelines → Integrations in CloudQuery Platform.
- Click Create Integration and select K8s.
- Select Amazon Web Services (AWS EKS) from the Cloud provider dropdown.
Cluster configuration
For each EKS cluster, fill in the following fields:
- Cluster name — the name of your EKS cluster.
- Region — the AWS region where the cluster is hosted (e.g.
us-east-1). - Role ARN — the principal ARN used to assign policies during the configure EKS cluster access step.
- External ID — the
EXTERNAL_IDfrom the AWS integration setup guide.
To sync multiple EKS clusters, click Add cluster and repeat the configuration for each cluster.
To add clusters from a different cloud provider (Azure or GCP), create a separate K8s integration.
- Click Test Connection to verify access.
What gets synced
The Kubernetes integration syncs cluster resources across all standard Kubernetes API groups. Some of the most commonly used tables include:
| Category | Tables | Description |
|---|---|---|
| Workloads | k8s_core_pods, k8s_apps_deployments, k8s_apps_stateful_sets | Pods, Deployments, StatefulSets |
| Networking | k8s_core_services, k8s_networking_ingresses | Services, Ingresses |
| Configuration | k8s_core_config_maps, k8s_core_secrets | ConfigMaps, Secrets |
| Cluster | k8s_core_nodes, k8s_core_namespaces | Nodes, Namespaces |
| RBAC | k8s_rbac_roles, k8s_rbac_cluster_roles | Roles, ClusterRoles |
See the full K8s table list for all available tables.
Verify the integration
After your first sync completes, open the SQL Console and run these queries to confirm Kubernetes data arrived:
-- Count synced pods
SELECT count(*) FROM k8s_core_pods-- List namespaces
SELECT DISTINCT namespace FROM k8s_core_pods-- View deployments
SELECT namespace, name FROM k8s_apps_deployments LIMIT 10-- Check nodes
SELECT name FROM k8s_core_nodesYou can also browse your Kubernetes resources in the Asset Inventory under the Containers category.
Troubleshooting
| Issue | Cause | Fix |
|---|---|---|
AccessDeniedException | Access entry not created or wrong principal ARN | Verify the access entry exists with aws eks list-access-entries --cluster-name <YOUR_CLUSTER_NAME>. The principal ARN must match the cross-account-readonly-role. |
| Cluster unreachable | Private API server endpoint | The EKS cluster must have a public endpoint enabled. Check the cluster’s networking configuration in the AWS console. |
| Missing resources (no Nodes, RBAC) | Restrictive access policy | The AmazonEKSViewPolicy does not grant access to Nodes, RBAC, or Secrets. Switch to AmazonEKSAdminViewPolicy for full read-only access. |
| No data after sync | Access policy not associated | Verify the access policy is associated with aws eks list-associated-access-policies --cluster-name <YOUR_CLUSTER_NAME> --principal-arn <YOUR_PRINCIPAL_ARN>. |
Next steps
- Set up a sync to schedule when your cluster data is fetched
- Browse synced resources in the Asset Inventory
- Run advanced queries in the SQL Console
- See the K8s integration documentation for full table reference