Kubeadapt
Get started
DocsConfigurationAPI ReferenceCLI
HOW-TO GUIDES

AWS Integration

On-demand and spot instance pricing works by default, no configuration needed. To reflect Reserved Instance and Savings Plan discounts in node pricing, connect your AWS account.

Pricing TypeSetup RequiredHow It WorksStatus
On-DemandNoneFetched from AWS pricing APIsSupported
SpotNoneReal-time spot prices per region, AZ, and instance typeSupported
Reserved InstancesCloud account connectionRead via Cost Explorer APIImplemented
Savings PlansCloud account connectionRead via Cost Explorer APIImplemented
Tip

If you don't use Reserved Instances or Savings Plans, you can still connect your AWS account to enable EKS cluster auto-discovery and benefit from cloud cost features as they become available. The connection is read-only and requires no additional permissions later. If you'd rather skip this for now, continue with the installation steps.

Connecting Your AWS Account

Connecting your AWS account unlocks two things:

  • RI/SP cost attribution: Your Reserved Instance and Savings Plan commitments are reflected in per-node pricing.
  • EKS cluster auto-discovery: Your EKS clusters are automatically detected and listed in the Clusters tab.

How It Works

When you connect your account, a bash script creates a cross-account IAM role in your AWS account. Kubeadapt assumes this role to read data. Nothing is written or modified.

Note

Running multiple AWS accounts? Connect through your management account. The script handles deploying to member accounts automatically.

Step 1: Open the Cloud Accounts Tab

Navigate to Clusters → Cloud Accounts in the Kubeadapt dashboard and click Add Cloud Integration.

Step 2: Select AWS

Choose Amazon Web Services from the provider list.

Step 3: Name and Permissions

Give your integration a name. This is just a label for the Cloud Accounts table (e.g. "AWS" or your company name). If the account is a management account, member accounts get their names from AWS Organizations automatically.

Choose a permission level:

LevelPolicyBest For
Full Read-Only (default)AWS managed ReadOnlyAccessBroadest visibility: cost analysis, resource discovery, EKS cluster detection
MinimalCustom inline policyLeast privilege: only EKS, EC2, Cost Explorer, CloudWatch, Savings Plans

Minimal permission details

The minimal policy includes:

  • EC2: DescribeInstances, DescribeReservedInstances, DescribeRegions, DescribeVolumes, and related read actions
  • EKS: ListClusters, DescribeCluster, ListNodegroups, DescribeNodegroup
  • Cost Explorer: GetCostAndUsage, GetSavingsPlansUtilization, GetReservationUtilization
  • CloudWatch: ListMetrics, GetMetricData
  • Savings Plans: Describe*, List*
  • Auto Scaling: DescribeAutoScalingGroups, DescribeLaunchConfigurations
  • Organizations: ListAccounts, DescribeOrganization
Tip

We recommend Full Read-Only unless your security policy requires minimal permissions. Both levels are strictly read-only. Over time, Kubeadapt will surface additional cloud cost insights from your account, so Full Read-Only saves you from reconnecting later.

Step 4: Run the Setup Script

Kubeadapt generates a bash script for your integration. Copy it and run it in a terminal with AWS CLI access to the target account.

The script will:

  1. Create an IAM role (kubeadapt-integration-role) with a trust policy scoped to Kubeadapt
  2. Attach the selected permissions
  3. For management accounts, extend the role to all member accounts
  4. Report back to Kubeadapt automatically
Tip

You'll need the aws CLI and permissions to create IAM roles. Run it as an admin or with iam:CreateRole and iam:AttachRolePolicy.

Step 5: Verify

Kubeadapt polls automatically for the setup to complete. Once detected:

  • The connection status changes to Connected
  • Your EKS clusters appear in the Clusters tab
  • RI/SP cost data appears within ~15 minutes

You can also click Verify Manually if you prefer not to wait for auto-detection.

Managing Cloud Accounts

Connected accounts appear in the Cloud Accounts table with:

  • Status: Connected, Pending, Failed, or Disconnected
  • Type: Management (with expandable member accounts) or standalone Account
  • Actions: Verify Connection, Sync Members (management accounts), or Delete

AWS Organizations

When you connect a management account:

  • You can Sync Members anytime to pick up newly added accounts
  • Deleting a management account removes all associated member accounts

Verification

To confirm everything is working, check the Clusters page in the dashboard:

  • On-demand/Spot pricing: Node costs should appear immediately after agent installation
  • RI/SP attribution (optional): After connecting your cloud account, node-level costs reflect your commitment discounts within ~15 minutes

Removing the Integration

To disconnect your AWS account:

  1. Go to Clusters → Cloud Accounts
  2. Click the actions menu (⋯) on the integration and select Delete
  3. A dialog shows an uninstall command. Run it in your AWS account to remove the IAM role

For management accounts, this also cleans up the CloudFormation StackSet and member account roles.

Troubleshooting

Verification fails after running the script

  • Make sure the AWS CLI session has the correct account and region
  • Check that the IAM role was created: aws iam get-role --role-name kubeadapt-integration-role
  • For management accounts, verify the StackSet deployed: aws cloudformation describe-stack-set --stack-set-name kubeadapt-member-roles

RI/SP data not showing

  • Cost Explorer can take up to 24 hours to populate initial data in a fresh account
  • Verify the IAM role has ce:GetReservationUtilization and ce:GetSavingsPlansUtilization permissions
  • Check that the integration status is Connected in Cloud Accounts

EKS clusters not discovered

  • Ensure the IAM role has eks:ListClusters and eks:DescribeCluster permissions
  • If using Minimal permissions, verify the policy was applied correctly

Next Steps

← PreviousIntegrationsNext →GCP