diff --git a/README.md b/README.md
index 3c456b9..91e334a 100644
--- a/README.md
+++ b/README.md
@@ -221,6 +221,7 @@ _Note: Since this module manages all of the Kubernetes addon dependencies requir
 | <a name="input_cluster_service_ipv4_cidr"></a> [cluster\_service\_ipv4\_cidr](#input\_cluster\_service\_ipv4\_cidr) | The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks | `string` | `null` | no |
 | <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The version of Kubernetes to be installed. | `string` | `"1.20"` | no |
 | <a name="input_create_cluster_security_group"></a> [create\_cluster\_security\_group](#input\_create\_cluster\_security\_group) | Whether to create a new security group for the EKS cluster. If set to false, you must provide an existing security group via the cluster\_security\_group\_id variable. | `bool` | `true` | no |
+| <a name="input_authentication_mode"></a> [authentication\_mode](#input\_authentication\_mode) | The authentication mode for the cluster. Valid values are `CONFIG_MAP`, `API` or `API_AND_CONFIG_MAP` | `string` | `API_AND_CONFIG_MAP` | no |
 | <a name="input_create_iam_policies"></a> [create\_iam\_policies](#input\_create\_iam\_policies) | deprecated | `bool` | `false` | no |
 | <a name="input_create_node_security_group"></a> [create\_node\_security\_group](#input\_create\_node\_security\_group) | Whether to create a new security group for the EKS nodes. If set to false, you must provide an existing security group via the node\_security\_group\_id variable. | `bool` | `true` | no |
 | <a name="input_disable_public_eks_endpoint"></a> [disable\_public\_eks\_endpoint](#input\_disable\_public\_eks\_endpoint) | Whether to disable public access to the EKS control plane endpoint. If set to "true", additional configuration is required in order for the cluster to function properly, such as AWS PrivateLink for EC2, ECR, and S3, along with a VPN to access the EKS control plane. It is recommended to keep this setting to "false" unless you are familiar with this type of configuration. | `bool` | `false` | no |
diff --git a/main.tf b/main.tf
index 2322002..4b106f8 100644
--- a/main.tf
+++ b/main.tf
@@ -254,6 +254,7 @@ module "eks" {
   cluster_security_group_name                = try(var.cluster_networking.cluster_security_group_name, null)
   cluster_security_group_additional_rules    = try(var.cluster_networking.cluster_security_group_additional_rules, var.cluster_security_group_additional_rules, {})
   create_cluster_primary_security_group_tags = false # Cleaner if we handle the tag in aws_ec2_tag.cluster_security_group
+  authentication_mode                        = var.authentication_mode
 
   eks_managed_node_groups         = local.eks_managed_node_groups
   eks_managed_node_group_defaults = local.node_group_defaults
diff --git a/variables.tf b/variables.tf
index bd1eb3c..7be87b5 100644
--- a/variables.tf
+++ b/variables.tf
@@ -218,6 +218,12 @@ variable "manage_aws_auth_configmap" {
   type        = bool
 }
 
+variable "authentication_mode" {
+  default     = "API_AND_CONFIG_MAP"
+  description = "The authentication mode for the cluster. Valid values are `CONFIG_MAP`, `API` or `API_AND_CONFIG_MAP`"
+  type        = string
+}
+
 variable "map_additional_iam_roles" {
   default     = []
   description = "A list of IAM role bindings to add to the aws-auth ConfigMap."