Configuring MCP servers access to EKS with just-in-time access

Why static credentials are a liability for EKS access

Do you find yourself granting MCP servers permanent IAM roles that can reach any pod in an EKS cluster? Most teams solve the problem by creating a long‑lived service account, attaching a broad IAM policy, and letting the server use those credentials for the lifetime of the cluster. The convenience is immediate, but the trade‑off is severe: any compromise of the server gives an attacker unrestricted lateral movement, and there is no built‑in record of which command touched which resource. The root cause is the lack of just-in-time access, which forces every request to run with the same elevated privileges.

Just-in-time access: the missing piece

What you really need is a way to issue permissions only at the moment they are required, and to retire them as soon as the operation finishes. This approach limits blast radius, forces a conscious decision before each privileged action, and creates a natural audit point. However, simply deciding to use just-in-time access does not solve the core engineering gap: the request still travels directly to the Kubernetes API server, bypassing any enforcement layer, and no session is recorded or masked.

hoop.dev as the identity‑aware gateway

hoop.dev sits on the network edge and becomes the only path through which MCP servers reach the EKS control plane. Because hoop.dev is the data path, it can enforce just-in-time access, require an approval workflow, and record every kubectl or exec command. hoop.dev masks sensitive fields in API responses, blocks dangerous operations before they reach the cluster, and stores a replayable session log for later review. In this model, the enforcement outcomes exist solely because hoop.dev occupies the gateway position.

How the architecture works for MCP servers

When an MCP server initiates a connection, it authenticates to hoop.dev using an OIDC token. hoop.dev validates the token, extracts group membership, and determines whether the request matches a just-in-time access policy. If approval is required, the request is queued until a human reviewer grants it. Once approved, hoop.dev’s agent assumes a dedicated IAM role that has been pre‑configured for EKS authentication. That role is mapped to a Kubernetes RBAC binding, so the server’s session inherits the exact permissions needed for the operation. Throughout the session, hoop.dev records each command, applies inline masking to any response that contains secrets, and can terminate the connection if a policy violation is detected.

The approval workflow can be configured to require multi‑person sign‑off for high‑risk namespaces, while low‑risk operations may be auto‑approved after a short delay. Because hoop.dev sits in the data path, every command, whether a simple pod list or a privileged exec, passes through the same guardrails. The gateway also enriches each audit entry with the identity that performed the action, the time, and the exact API call, giving operators a complete forensic picture.

Continue reading? Get the full guide.

Just-in-Time Access + Mean Time to Detect (MTTD): Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Getting started

To try this flow, start with the official getting‑started guide, which walks you through deploying the gateway, registering an EKS connection, and defining just-in-time access policies. The documentation also explains how to configure the IAM role that the hoop.dev agent will assume and how to map that role to a Kubernetes ClusterRoleBinding. All of the detailed steps are available in the getting‑started docs and the broader feature overview at hoop.dev learn. For a complete view of the source code and contribution guidelines, visit the project’s GitHub repository.

FAQ

Can I reuse existing IAM roles for the gateway?

Yes, but the role must be dedicated to the hoop.dev agent and mapped to a specific Kubernetes RBAC binding. Sharing the role with other workloads would re‑introduce the broad‑access problem that just-in-time access is meant to eliminate.

Does routing traffic through hoop.dev add noticeable latency?

Because hoop.dev operates at Layer 7 and only inspects protocol‑level messages, the added latency is typically measured in low‑single‑digit milliseconds, which is negligible for most development and operational workflows.

Where are session logs stored and how are they protected?

Session logs are written to the backend storage configured for hoop.dev. The gateway ensures that only authorized personnel can retrieve the logs, and each log entry is tied to the identity that performed the action, providing a reliable audit trail.

What happens if an approval request is denied?

If a reviewer denies a just-in-time access request, hoop.dev immediately aborts the connection and records the denial event. The operator receives a notification so that the situation can be investigated without any privileged command ever reaching the cluster.

Visit the GitHub repository to explore the code, contribute improvements, and see the full list of supported connectors.