Posted On: Mar 27, 2023

Amazon Elastic Kubernetes Service (EKS) announces domainless Group Managed Service Account (gMSA) support for Windows containers. This helps customers to easily authenticate applications hosted on Amazon EKS with Microsoft Active Directory (AD) using a portable user identity and a plug-in mechanism to retrieve the gMSA credentials for their Windows containers. Now, customers can run containers that require AD authentication without joining the EKS nodes to the domain, even in case of autoscaling events.

Group Managed Service Account (gMSA) is a managed domain account that provides automatic password management, service principal name (SPN) management, and the ability to delegate the management to other administrators over multiple servers/instances. This allows multiple containers or resources to share an AD account without having to authenticate each container or resource individually, or without having access to network-shared resources such as SQL Server hosts, or file-shares. Since the launch of EKS version 1.14, customers can run EKS Windows containers with gMSA by joining underlying nodes to a target AD domain. Now customers can also use a built-in plugin on the latest EKS-Optimized Windows AMIs (versions 1.22 and above) that enables non-domain-joined Windows nodes to retrieve gMSA credentials with a portable user identity instead of a host computer account. Read this blog for a step-by-step guide on how to get started.

Windows containers support on Amazon EKS is available in all public AWS regions and the AWS GovCloud (US) Regions as listed here. To learn more about running Windows containers on Amazon EKS, visit the Amazon EKS Optimized Windows AMI documentation and our product page.