Using a principal for LKE cluster in bucket policy

I want to use a bucket policy to whitelist access from my LKE cluster only, but I can't find which principal should be used for that. Is this possible? I don't like to rely on the aws:SourceIp condition as it might change when my cluster updates/scales.

1 Reply

Setting up a bucket policy to whitelist access from your cluster directly may not be the most stable way to run your setup (for the exact reason you mentioned: IPs subject to change).

For incoming traffic you could create a NodeBalancer as a front-end ingress controller, which would have a static IP, and your cluster could communicate with your bucket on an allow list. More on that here:

As far as outbound traffic goes, there is not really (to my knowledge) a way to set up outgoing LKE traffic to come from a single (static) IP, but a workaround using a NAT gateway may work for the time being:

For the above, you would just need to connect the NAT gateway (the compute instance running WireGuard-- because that IP would be static) to your bucket.

Looking forward, I know that Akamai is working on developing a native NAT gateway solution, but no timeline on that feature's release yet, so keep your eyes peeled.

Hope that helps!



Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct