clusterawsadm bootstrap credentials

Encode credentials to use with Kubernetes Cluster API Provider AWS


Encode credentials to use with Kubernetes Cluster API Provider AWS.

The utility will attempt to find credentials in the following order:

  1. Check for the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables.
  2. Read the default credentials from the shared configuration files ~/.aws/credentials or the default profile in ~/.aws/config.
  3. Check for the presence of an EC2 IAM instance profile if it’s running on AWS.
  4. Check for ECS credentials.

IAM role assumption can be performed by using any valid configuration for the AWS CLI at: For role assumption to be used, a region is required for the utility to use the AWS Security Token Service (STS). The utility resolves the region in the following order:

  1. Check for the --region flag.
  2. Check for the AWS_REGION environment variable.
  3. Check for the DEFAULT_AWS_REGION environment variable.
  4. Check that a region is specified in the shared configuration file.

The utility will then generate an ini-file with a default profile corresponding to the resolved credentials.

If a region cannot be found, for the purposes of using AWS Security Token Service, this utility will fall back to us-east-1. This does not affect the region in which clusters will be created.

In the case of an instance profile or role assumption, note that encoded credentials are time-limited.

clusterawsadm bootstrap credentials [flags]


  # Encode credentials from the environment for use with clusterctl
  export AWS_B64ENCODED_CREDENTIALS=$(clusterawsadm bootstrap credentials encode-as-profile)
  clusterctl init --infrastructure aws


  -h, --help   help for credentials

Options inherited from parent commands

  -v, --v int   Set the log level verbosity. (default 2)


Auto generated by spf13/cobra on 18-Jul-2024