Why can't I connect to my Amazon EKS cluster?

Last updated: 2020-01-20

I created an Amazon Elastic Kubernetes Service (Amazon EKS) cluster, but I can't connect to my cluster.

Short description

After you create your Amazon EKS cluster, you must then configure your kubeconfig file with the AWS Command Line Interface (AWS CLI). This configuration allows you to connect to your cluster using the kubectl command line.

The following resolution shows you how to create a kubeconfig file for your cluster with the AWS CLI update-kubeconfig command. To manually update your kubeconfig file without using the AWS CLI, see Create a kubeconfig for Amazon EKS.

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.


1.    To confirm that AWS CLI version 1.16.308 or greater is installed on your system, run the following command:

$ aws --version

Important: You must have Python version 2.7.9 or greater installed on your system. Otherwise, you receive an error.

Tip: Package managers such as yum, apt-get, or homebrew for macOS are often used to install the AWS CLI.

2.    To create or update the kubeconfig file for your cluster, run the following command:

aws eks --region region update-kubeconfig --name cluster_name

Note: Replace region with your AWS Region. Replace cluster_name with your cluster name.

By default, the configuration file is created at the kubeconfig path ($HOME/.kube/config) in your home directory or merged with an existing kubeconfig at that location. For Windows, the file is at %USERPROFILE%\.kube\config.

You can also specify another path by setting the KUBECONFIG (from the Kubernetes website) environment variable, or with the following --kubeconfig option:

$ kubectl get pods --kubeconfig ./.kube/config

Note: For authentication when you run kubectl commands, you can specify an AWS Identity and Access Management (IAM) role Amazon Resource Name (ARN) with the --role-arn option. Otherwise, the IAM entity in your default AWS CLI or SDK credential chain is used. To view your default AWS CLI or SDK identity, run the aws sts get-caller-identity command.

For more information, see update-kubeconfig.

3.    To test your configuration, run the following command:

$ kubectl get svc

The output should be similar to the following:

svc/kubernetes   ClusterIP   <none>        443/TCP   1m

Note: If you receive other authorization or resource type errors, see Unauthorized or access denied (kubectl).