When you’r using the s3 plugin to store the Kops state inside a bucket, Kops stores the CA key and certificate in its S3 bucket.
aws s3 cp s3://$BUCKET/$CLUSTER/pki/private/ca/$KEY.key ca.key
aws s3 cp s3://$BUCKET/$CLUSTER/pki/issued/ca/$CERT.crt ca.crt
We will use this certificate to create some RBAC access.