How to Configure EKS TeamCity for Secure, Repeatable Access

Your CI job just failed again because someone forgot to rotate an AWS key. Meanwhile, your Kubernetes clusters keep changing IPs faster than your Terraform can keep up. That’s usually the moment an engineer starts muttering about “just wiring TeamCity directly to EKS.” Thankfully, that pairing—EKS TeamCity—is exactly what you need for controlled builds and dependable deployments.

Amazon EKS handles the orchestration side. It runs container workloads and abstracts most cluster management. TeamCity executes your build pipelines with all the knobs modern CI demands. Together, they let you automate everything from Docker image builds to rolling updates across multiple namespaces. The magic happens when TeamCity talks securely to your EKS API using the same identity your developers trust.

The simplest integration flow looks like this: TeamCity authenticates with AWS using a dedicated IAM role mapped through OIDC. That identity grants scoped permission to interact with your EKS cluster. Once authorized, the agent can run kubectl commands, deploy Helm charts, or kick off canary rollouts without static secrets. Instead of storing keys in TeamCity, you rely on IAM federation and Kubernetes RBAC to control access in real time.

Be strict about those RBAC mappings. Give each TeamCity project its own service account tied to a precise role. Avoid broad system:masters bindings just to make a job “finally work.” Rotate access tokens automatically or use short-lived credentials issued by AWS STS. If a pipeline fails mid-deploy, clean up jobs immediately so stale tokens cannot be reused. Engineers often skip these steps only once.

Quick answer:
To connect TeamCity with AWS EKS, configure an OIDC identity provider in IAM, assign a role with minimal EKS permissions, then reference that role in TeamCity’s build agent configuration. This removes static key storage and gives you auditable, short-lived access for every pipeline run.

Core benefits:

• Consistent deployments from a single source of truth.
• Stronger security through ephemeral credentials.
• No manual AWS key rotation ever.
• Full traceability inside CloudTrail and TeamCity logs.
• Faster rollouts and more predictable cluster state.

Platforms like hoop.dev turn these identity rules into policy guardrails. Instead of writing brittle scripts to manage who can hit what endpoint, hoop.dev enforces identity-aware access across clusters and CI tools automatically. It keeps your pipelines fast yet compliant, aligning with SOC 2 and least-privilege models by default.

For developers, that means fewer browser hops to assume roles and fewer Slack messages asking for temporary credentials. Build agents spin up, deploy, and shut down cleanly. Debug sessions use the same unified identity, which cuts down on finger-pointing when something goes sideways.

AI copilots and automation agents can also plug into this flow. When permissioning is identity-based, you can safely let AI handle certain repetitive change requests while keeping human oversight intact. Proper IAM design gives machine agents the same accountability trail as humans.

In short, EKS TeamCity isn’t just another integration checklist. It’s a pattern for secure velocity: verified identities, automated deploys, and no stray secrets left lying around.

See an Environment Agnostic Identity-Aware Proxy in action with hoop.dev. Deploy it, connect your identity provider, and watch it protect your endpoints everywhere—live in minutes.