# T4K UI Native Authentication (GKE/EKS)

Trilio for Kubernetes (T4K) UI supports authentication through kubeconfig files which contain a token, certificate, auth-provider, etc. However, for some Kubernetes cluster distributions, the kubeconfig may contain a cloud-specific `exec` action or `auth-provider` configuration to fetch the authentication token with the help of a credentials file, which is not supported by default.

When using kubeconfig on the local system, the cloud-specific action/config in the `user` section of the kubeconfig will look for a credentials file at a specific location to generate an authentication token. Because the T4K backend is deployed in a Cluster Pod, this credentials file is not available in the Pod. T4K provides cloud distribution-specific support to handle and generate tokens from these credentials files.

## Google Kubernetes Engine (GKE)

#### Default kubeconfig

```yaml
apiVersion: v1
clusters:
  - cluster:
      certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVMRENDQXBTZ0F3SUJBZ0lRU3B5cVp4QzU4NFFEbVFYdz
      server: https://34.138.168.200
    name: gke_amazing-chalice-243510_us-east1-b_dev-cluster
contexts:
  - context:
      cluster: gke_amazing-chalice-243510_us-east1-b_dev-cluster
      user: gke_amazing-chalice-243510_us-east1-b_dev-cluster
    name: gke_amazing-chalice-243510_us-east1-b_dev-cluster
current-context: gke_amazing-chalice-243510_us-east1-b_dev-cluster
kind: Config
preferences: {}
users:
  - name: gke_amazing-chalice-243510_us-east1-b_dev-cluster
    user:
      auth-provider:
        config:
          cmd-args: config config-helper --format=json
          cmd-path: /home/trilio/google-cloud-sdk/bin/gcloud
          expiry-key: '{.credential.token_expiry}'
          token-key: '{.credential.access_token}'
        name: gcp
```

#### Credentials

<img src="/files/8S4nLWaA0TMuWIOnynNu" alt="" data-size="original">

#### Using credentials for login

For GKE clusters, the local binary `gcloud` reads a SQLite credentials file named `credentials.db` located at `$HOME/.config/gcloud` to generate an authentication token. All parameters required to generate the token exist in the same `credentials.db` file. When logging into the T4K UI deployed in a GKE cluster, a user is expected to provide the `credentials.db` file from `$HOME/.config/gcloud` to pass authentication.

## Amazon Elastic Kubernetes Service (EKS)

#### Default kubeconfig

```yaml
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFR
    server: https://6C74ACD3CA40CFCB719CF3464423ADA9.gr7.us-east-1.eks.amazonaws.com
  name: vinod-eks.us-east-1.eksctl.io
contexts:
- context:
    cluster: vinod-eks.us-east-1.eksctl.io
    user: vinod.patil@trilio.io@vinod-eks.us-east-1.eksctl.io
  name: vinod.patil@trilio.io@vinod-eks.us-east-1.eksctl.io
current-context: vinod.patil@trilio.io@vinod-eks.us-east-1.eksctl.io
kind: Config
preferences: {}
users:
- name: vinod.patil@trilio.io@vinod-eks.us-east-1.eksctl.io
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - eks
      - get-token
      - --cluster-name
      - vinod-eks
      - --region
      - us-east-1
      command: aws
      env:
      - name: AWS_STS_REGIONAL_ENDPOINTS
        value: regional
```

#### Credentials

![](/files/ONUvvTD3bqj4CIsFcnAJ)

#### Using credentials for login

For EKS clusters, the local binary `aws` (aws-cli) reads a credentials file named `credentials` located at `$HOME/.aws` to generate an authentication token. One additional parameter — the EKS cluster name — is required to generate a token and will be requested once at login. When logging into the T4K UI deployed in an EKS cluster, a user is expected to provide the `credentials` file from `~/.aws` to pass authentication.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.trilio.io/kubernetes/appendix/platform-guides/ui-native-authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.