All posts
June 18, 20264 min read

Non-human identity for MCP servers on EKS

Many assume that a machine‑learning model serving platform can simply run on an EKS cluster using a shared service account, and that this is sufficient for security. In reality, that approach gives the server a human‑like identity that is hard to audit and often over‑privileged. The real problem is the lack of a true non-human identity that can be scoped, recorded and revoked without touching the underlying workload. Current practice: shared service accounts and static credentials Today most

Free White Paper

Non-Human Identity Management + Single Sign-On (SSO): The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

Many assume that a machine‑learning model serving platform can simply run on an EKS cluster using a shared service account, and that this is sufficient for security. In reality, that approach gives the server a human‑like identity that is hard to audit and often over‑privileged. The real problem is the lack of a true non-human identity that can be scoped, recorded and revoked without touching the underlying workload.

Current practice: shared service accounts and static credentials

Today most teams deploy MCP (model‑control‑plane) servers on EKS by creating a single Kubernetes ServiceAccount that holds long‑lived AWS credentials. The same ServiceAccount is used by every model instance, every experiment runner, and even occasional admin scripts. Because the credentials never change, anyone who can reach the pod can issue API calls to the Kubernetes control plane as if they were a human operator. There is no per‑request audit, no justification for each kubectl command, and no way to hide sensitive fields in API responses. The result is a broad attack surface and an audit trail that only shows the ServiceAccount name, not the actual actor.

Why non-human identity alone is not enough

Switching to a dedicated IAM role for the MCP server is a step forward. The role can be assumed only by the pod, and it can be limited to the exact EKS permissions the model needs. This satisfies the "non-human identity" requirement: the server now presents a machine identity that can be managed like any other service account. However, the request still travels directly from the pod to the Kubernetes API server. No gateway inspects the traffic, no command‑level approval is required, and no session is recorded. If a compromised container starts issuing destructive kubectl commands, the cluster sees a legitimate request from a valid role and cannot distinguish intent.

hoop.dev as the data‑path enforcement layer

hoop.dev solves the missing piece by sitting in the data path between the MCP server and the EKS API. The architecture has three clear layers.

Setup – defining who may act

The first layer is the identity setup. An IAM role is created for the hoop.dev agent itself (Role X). A second, dedicated IAM role (Role Y) is configured on the EKS connection. The agent assumes Role Y when it needs to talk to the cluster. Role Y is mapped to a Kubernetes ClusterRoleBinding that grants only the permissions required by the model server. This setup decides who the request is and whether it may start, but it does not enforce any runtime policy.

The data path – the only place enforcement can happen

hoop.dev runs a network‑resident agent inside the same VPC as the EKS control plane. All traffic from the MCP server to the Kubernetes API is forced through this agent. Because the gateway sits on the wire, it can inspect each protocol message before it reaches the API server. This placement makes the gateway the sole point where guardrails can be applied.

Enforcement outcomes – what hoop.dev provides

  • hoop.dev records every kubectl or exec session, providing a replayable log that auditors can review.
  • hoop.dev can mask sensitive fields in API responses, such as secret names or token values, before they reach the model server.
  • hoop.dev can require just‑in‑time approval for risky commands, routing them to a human reviewer before execution.
  • hoop.dev can block disallowed commands outright, preventing accidental or malicious changes to cluster state.

Each of these outcomes exists only because hoop.dev occupies the data path. Without the gateway, the IAM role alone would grant unrestricted access.

Putting it together: a step‑by‑step mental model

1. Define a dedicated IAM role for the MCP server (Role Y) with the minimal set of EKS permissions.

Continue reading? Get the full guide.

Non-Human Identity Management + Single Sign-On (SSO): Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

2. Deploy the hoop.dev gateway in the same network as the EKS control plane. The gateway’s agent assumes Role Y when establishing the connection.

3. Map Role Y to a Kubernetes ClusterRoleBinding that ties the assumed identity to a non‑human ServiceAccount inside the cluster.

4. Configure the MCP server to point its Kubernetes client at the hoop.dev endpoint instead of the raw API server. From the server’s perspective nothing changes – it still uses the standard kubectl libraries – but every request now passes through the gateway.

5. Define policies in hoop.dev that specify which commands need approval, which fields must be masked, and which sessions should be recorded. These policies are evaluated in real time as the gateway sees each request.

With this mental flow, the MCP server enjoys a true non‑human identity, while hoop.dev provides the missing enforcement layer that turns a static role into a controlled, auditable access point.

Getting started

The official getting‑started guide walks you through deploying the gateway, creating the IAM roles and binding them to Kubernetes RBAC. The learn section contains deeper explanations of masking, approval workflows and session replay. Both resources assume you have an existing EKS cluster and an MCP workload ready to be protected.

FAQ

Do I need to modify my model server code?

No. The server continues to use the standard Kubernetes client libraries. The only change is the endpoint URL, which points at the hoop.dev gateway instead of the raw API server.

Can I use the same gateway for other workloads?

Yes. hoop.dev is a generic Layer 7 gateway that can front databases, SSH, HTTP services and more. The same pattern of IAM role → gateway → enforcement applies across all supported connectors.

What happens if the gateway is unavailable?

Because all traffic must pass through the gateway, a temporary outage will block access to the EKS API. This is a deliberate trade‑off: you gain strong enforcement at the cost of a single point of control. High‑availability deployment options are described in the docs.

Next steps

Explore the source code, contribute improvements, or raise an issue on the project repository. Visit the GitHub repository to get the latest version and start protecting your MCP servers with a true non‑human identity on EKS.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot