How to connect Kubectl to BTP Kyma environment using AWS EC2
Overview
This guide walks through the steps required to connect kubectl to a BTP Kyma environment using an AWS EC2 instance as the intermediary host.
Prerequisites
- EC2 instance running Amazon Linux.
- pem key file for the EC2 instance (e.g.,
<KEY_PAIR_NAME>.pem). - SAP BTP credentials with access to the Kyma environment.
- OpenSSH on Windows (included by default in Windows 10/11).
- Access to the
oneconnectkyma.zipdeployment file.
Placeholder values are shown in square brackets < >. Replace them with your actual values before executing any command.
| Placeholder | Description |
|---|---|
<KEY_PAIR_NAME>.pem |
Name of the EC2 .pem key file |
<EC2_USER> |
SSH user for the EC2 (e.g., ec2-user, ubuntu) |
<EC2_PUBLIC_IP> |
Public IP address of the EC2 instance |
Step 1 — Connect to the EC2 via SSH
Open PowerShell on Windows and set the correct permissions on the .pem file so that SSH accepts it:
| icacls ".\<KEY_PAIR_NAME>.pem" /inheritance:r icacls ".\<KEY_PAIR_NAME>.pem" /grant:r "$($env:USERNAME):(R)" |
Connect to the EC2 instance including the port tunnels required for Kyma OIDC authentication:
| ssh -i ".\<KEY_PAIR_NAME>.pem" -L 8000:localhost:8000 -L 18000:localhost:18000 <EC2_USER>@<EC2_PUBLIC_IP> |
-L 8000:localhost:8000 and -L 18000:localhost:18000 parameters create an SSH tunnel that allows Kyma's OIDC authentication (which opens a browser on port 8000) to work from the local machine.Step 2 — Install kubectl
Run the following commands inside the EC2 instance:
| curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" chmod +x kubectl sudo mv kubectl /usr/local/bin/ kubectl version --client |
Step 3 — Install Helm v3
Run the following commands inside the EC2 instance:
| curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash helm version |
Step 4 — Install kubelogin (OIDC plugin for kubectl)
Kyma uses OIDC authentication, so the kubelogin plugin is required for kubectl to authenticate:
| curl -LO https://github.com/int128/kubelogin/releases/latest/download/kubelogin_linux_amd64.zip unzip kubelogin_linux_amd64.zip sudo mv kubelogin /usr/local/bin/kubectl-oidc_login kubectl oidc-login --version |
Step 5 — Download the project file
Download the project ZIP file and extract it:
| curl -O https://oneconnectdeploymentaks.s3.us-east-2.amazonaws.com/oneconnectkyma/oneconnectkyma.zip unzip oneconnectkyma.zip |
unzip is not installed, run: sudo yum install unzip -yStep 6 — Download the Kyma kubeconfig
Download the kubeconfig file from the Kyma Environment Broker and set it as an environment variable
- Log in to BTP Cockpit → navigate to your Subaccount → Kyma Environment
- Click on "KubeconfigURL".
- The system will open a new browser tab and prompt you to download the kubeconfig.yaml file. Wait for the file to download in your local drive.
Placeholder values are shown in square brackets < >. Replace them with your actual values before executing any command.
| Placeholder | Description |
|---|---|
<ENVIRONMENT_INSTANCE_ID> |
Kyma instance ID (from SAP BTP Cockpit) |
| curl -L "https://kyma-env-broker.cp.kyma.cloud.sap/kubeconfig/<ENVIRONMENT_INSTANCE_ID>" -o kubeconfig.yaml export KUBECONFIG=~/kubeconfig.yaml |
<ENVIRONMENT_INSTANCE_ID> can be found in the SAP BTP Cockpit under the Kyma Environment section of your subaccount. If unzip is not installed, run: sudo yum install unzip -yStep 7 — Verify the connection to the Kyma cluster
Run the following command to verify the connection:
| kubectl get namespaces |
When running this command, a message will appear in the console asking you to open http://localhost:8000 for authentication.
Open that URL in your local machine browser (Windows), sign in with your SAP BTP credentials, and return to the terminal.
The command should list the Kyma cluster namespaces, confirming a successful connection.
Related Articles
Kyma OneConnect Platform — Complete Deployment Guide
Overview This manual guides you through the fully private deployment of OneConnect on SAP BTP Kyma (AWS EKS). All access is routed through SAP Cloud Connector — no services are exposed to the public internet. Installation Flow Overview Follow the ...How to Provision SAP BTP Services: AI Core · AI Launchpad · HANA · Kyma
How to Provision SAP BTP Services: AI Core · AI Launchpad · HANA · Kyma This guide provides step-by-step instructions for provisioning the following SAP Business Technology Platform (SAP BTP) services: SAP AI Core – The runtime environment for AI ...SAP BTP - Infrastructure Requirements
Overview This document defines the minimum infrastructure sizing required to execute the BVC on SAP Business Technology Platform (BTP) using Kyma runtime environments. Three independent environments must be provisioned: One Connect Smart Gateway — ...AWS - EKS EC2 One Connect Deployment Manual with Terraform
This manual provides step-by-step instructions for deploying an Amazon EKS (Elastic Kubernetes Service) cluster using Terraform. It includes the configuration of essential components such as AWS credentials, infrastructure provisioning, EBS CSI ...SmartGateway Helm Chart - AWS
SmartGateway Helm Chart — Quick Deployment Guide (Multi-Cloud) This Helm Chart deploys SmartGateway on Kubernetes (microservices + MySQL + required configuration). Multi-Cloud Support Optimized for: EKS (AWS). Before you start (requirements) You ...