Posted On: Mar 28, 2023
Amazon Elastic Kubernetes Service (EKS) announces domainless Group Managed Service Account (gMSA) support for Windows containers. This helps customers to easily authenticate applications hosted on Amazon EKS with Microsoft Active Directory (AD) using a portable user identity and using a plug-in mechanism to retrieve the gMSA credentials for their Windows containers. With the latest offering, customers can run containers without joining the Amazon EKS nodes or underlying instances to the domain and they don’t need to rejoin the node to a domain in rolling update or auto scale events.
Group Managed Service Account (gMSA) is a managed domain account that provides automatic password management, service principal name (SPN) management, and the ability to delegate the management to other administrators over multiple servers/instances. This allows multiple containers or resources to share an AD account without having to know the password. Since containers cannot join an AD domain, they can still use gMSA to support various authentication scenarios and to access network shared resources such as SQL Server hosts, SharePoint servers, or file-shares. While since the launch of EKS version 1.14, customers have been able to run EKS Windows containers with gMSA account by joining EKS Windows nodes to a target AD domain. Today, we launched its own plugin that is now built-in in the latest Amazon EKS Optimized Windows AMIs (versions 1.22 and above) that enables non-domain-joined Windows nodes to retrieve gMSA credentials with a portable user identity instead of a host computer account. To follow a step by step guide for how to configure your EKS Windows to set-up domainless gMSA, read this blog.
To learn more about running Windows containers on Amazon EKS, visit the Amazon EKS Optimized Windows AMI documentation. To learn more about Amazon EKS, visit our product page.