EKS / Client / associate_encryption_config



Associates an encryption configuration to an existing cluster.

Use this API to enable encryption on existing clusters that don’t already have encryption enabled. This allows you to implement a defense-in-depth security strategy without migrating applications to new Amazon EKS clusters.

See also: AWS API Documentation

Request Syntax

response = client.associate_encryption_config(
            'resources': [
            'provider': {
                'keyArn': 'string'
  • clusterName (string) –


    The name of your cluster.

  • encryptionConfig (list) –


    The configuration you are using for encryption.

    • (dict) –

      The encryption configuration for the cluster.

      • resources (list) –

        Specifies the resources to be encrypted. The only supported value is secrets.

        • (string) –

      • provider (dict) –

        Key Management Service (KMS) key. Either the ARN or the alias can be used.

        • keyArn (string) –

          Amazon Resource Name (ARN) or alias of the KMS key. The KMS key must be symmetric and created in the same Amazon Web Services Region as the cluster. If the KMS key was created in a different account, the IAM principal must have access to the KMS key. For more information, see Allowing users in other accounts to use a KMS key in the Key Management Service Developer Guide.

  • clientRequestToken (string) –

    A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.

    This field is autopopulated if not provided.

Return type:



Response Syntax

    'update': {
        'id': 'string',
        'status': 'InProgress'|'Failed'|'Cancelled'|'Successful',
        'type': 'VersionUpdate'|'EndpointAccessUpdate'|'LoggingUpdate'|'ConfigUpdate'|'AssociateIdentityProviderConfig'|'DisassociateIdentityProviderConfig'|'AssociateEncryptionConfig'|'AddonUpdate'|'VpcConfigUpdate'|'AccessConfigUpdate',
        'params': [
                'type': 'Version'|'PlatformVersion'|'EndpointPrivateAccess'|'EndpointPublicAccess'|'ClusterLogging'|'DesiredSize'|'LabelsToAdd'|'LabelsToRemove'|'TaintsToAdd'|'TaintsToRemove'|'MaxSize'|'MinSize'|'ReleaseVersion'|'PublicAccessCidrs'|'LaunchTemplateName'|'LaunchTemplateVersion'|'IdentityProviderConfig'|'EncryptionConfig'|'AddonVersion'|'ServiceAccountRoleArn'|'ResolveConflicts'|'MaxUnavailable'|'MaxUnavailablePercentage'|'ConfigurationValues'|'SecurityGroups'|'Subnets'|'AuthenticationMode'|'PodIdentityAssociations',
                'value': 'string'
        'createdAt': datetime(2015, 1, 1),
        'errors': [
                'errorCode': 'SubnetNotFound'|'SecurityGroupNotFound'|'EniLimitReached'|'IpNotAvailable'|'AccessDenied'|'OperationNotPermitted'|'VpcIdNotFound'|'Unknown'|'NodeCreationFailure'|'PodEvictionFailure'|'InsufficientFreeAddresses'|'ClusterUnreachable'|'InsufficientNumberOfReplicas'|'ConfigurationConflict'|'AdmissionRequestDenied'|'UnsupportedAddonModification'|'K8sResourceNotFound',
                'errorMessage': 'string',
                'resourceIds': [

Response Structure

  • (dict) –

    • update (dict) –

      An object representing an asynchronous update.

      • id (string) –

        A UUID that is used to track the update.

      • status (string) –

        The current status of the update.

      • type (string) –

        The type of the update.

      • params (list) –

        A key-value map that contains the parameters associated with the update.

        • (dict) –

          An object representing the details of an update request.

          • type (string) –

            The keys associated with an update request.

          • value (string) –

            The value of the keys submitted as part of an update request.

      • createdAt (datetime) –

        The Unix epoch timestamp at object creation.

      • errors (list) –

        Any errors associated with a Failed update.

        • (dict) –

          An object representing an error when an asynchronous operation fails.

          • errorCode (string) –

            A brief description of the error.

            • SubnetNotFound: We couldn’t find one of the subnets associated with the cluster.

            • SecurityGroupNotFound: We couldn’t find one of the security groups associated with the cluster.

            • EniLimitReached: You have reached the elastic network interface limit for your account.

            • IpNotAvailable: A subnet associated with the cluster doesn’t have any available IP addresses.

            • AccessDenied: You don’t have permissions to perform the specified operation.

            • OperationNotPermitted: The service role associated with the cluster doesn’t have the required access permissions for Amazon EKS.

            • VpcIdNotFound: We couldn’t find the VPC associated with the cluster.

          • errorMessage (string) –

            A more complete description of the error.

          • resourceIds (list) –

            An optional field that contains the resource IDs associated with the error.

            • (string) –


  • EKS.Client.exceptions.InvalidParameterException

  • EKS.Client.exceptions.ClientException

  • EKS.Client.exceptions.ServerException

  • EKS.Client.exceptions.ResourceInUseException

  • EKS.Client.exceptions.ResourceNotFoundException

  • EKS.Client.exceptions.InvalidRequestException