diff --git a/aws/documentation/containers/eks/README.md b/aws/documentation/containers/eks/README.md
index bca7e653..c529dabc 100644
--- a/aws/documentation/containers/eks/README.md
+++ b/aws/documentation/containers/eks/README.md
@@ -6,3 +6,7 @@
 * [Upgrade 1.22 to 1.23](upgrade-1.22-1.23.md)
 * [Troubleshooting upgrades](upgrade-troubleshooting.md)
 
+# Using Clusters
+
+See the [SSO Access](sso-access.md) details on how to setup the CLI for access to EKS.
+
diff --git a/aws/documentation/containers/eks/sso-access.md b/aws/documentation/containers/eks/sso-access.md
new file mode 100644
index 00000000..708a48ad
--- /dev/null
+++ b/aws/documentation/containers/eks/sso-access.md
@@ -0,0 +1,67 @@
+# Use of SSO With EKS Clusters
+
+We have modified the approach for handling EKS clusters to work with SSO.  We have a new system common permissionset
+called `sc-eks`. This permissionset allows an assume-role call to `r-inf-terraform-eks`. This new role has all of the
+appropriate permissions in order to build and maintain a cluster, including communications with the cluster API.
+
+## CLI
+
+To use it, you'll need two configuration profiles.  Follow the [guide](https://github.e.it.census.gov/terraform/support/tree/master/docs/how-to/aws-sso)
+for setting up SSO, which should get you this particular profile (example uses do2-govcloud). This assumes you
+are on `iebcloud.csvd.census.gov` and have setup the profile with the `refresh-profiles.sh` script.
+
+```script
+[profile 107742151971-do2-govcloud.sc-eks]
+sso_start_url = https://start.us-gov-home.awsapps.com/directory/d-c2673e7ee9
+sso_region = us-gov-east-1
+sso_account_name = Census ESF
+sso_account_id = 107742151971
+sso_role_name = sc-eks
+region = us-gov-east-1
+credential_process = aws-sso-util credential-process --profile 107742151971-do2-govcloud.sc-eks
+sso_auto_populated = true
+```
+
+Then, you can use one like this to get access to the cluster.  Enter your own Census username in
+`JBID`.
+
+```
+[profile 107742151971-do2-govcloud.eks]
+source_profile = 107742151971-do2-govcloud.sc-eks
+region = us-gov-east-1
+role_arn = arn:aws-us-gov:iam::107742151971:role/r-inf-terraform-eks
+role_session_name = JBID
+```
+
+You may access the cluster with this profile, using that profile to setup the kubectl config file.
+
+Or, if you make that profile match the Terraform standard
+
+```
+[profile 107742151971-do2-govcloud]
+source_profile = 107742151971-do2-govcloud.sc-eks
+region = us-gov-east-1
+role_arn = arn:aws-us-gov:iam::107742151971:role/r-inf-terraform-eks
+role_session_name = JBID
+```
+
+You can access the cluster and its components in the EKS Terraform directories.
+
+If you want to use the cluster admin with this method, add another profile per cluster (for example):
+
+[profile eks-adsd-cumulus-dev]
+source_profile = 107742151971-do2-govcloud.sc-eks
+region = us-gov-east-1
+role_arn = arn:aws-us-gov:iam::107742151971:role/r-eks-adsd-cumulus-dev-cluster-admin
+role_session_name = JBID
+```
+
+## Console
+
+The `sc-eks` permissionset does not have EKS console access.  To see the cluster from the console, you'll
+need to switch roles to the `r-inf-terraform-eks` role in the account you are using.
+
+# CHANGELOG
+
+* 1.0.0 -- 2026-02-27
+  - added access with SSO details