diff --git a/k8s/crds/kops.k8s.io_clusters.yaml b/k8s/crds/kops.k8s.io_clusters.yaml
index 231dc529c5247..5b95e6ffa0aa9 100644
--- a/k8s/crds/kops.k8s.io_clusters.yaml
+++ b/k8s/crds/kops.k8s.io_clusters.yaml
@@ -135,6 +135,10 @@ spec:
                 properties:
                   aws:
                     properties:
+                      backendMode:
+                        description: BackendMode is the AWS IAM Authenticator backend
+                          to use. Default MountedFile
+                        type: string
                       cpuLimit:
                         anyOf:
                         - type: integer
diff --git a/pkg/apis/kops/cluster.go b/pkg/apis/kops/cluster.go
index cf428fd069bad..aa2179bd3021d 100644
--- a/pkg/apis/kops/cluster.go
+++ b/pkg/apis/kops/cluster.go
@@ -302,6 +302,8 @@ type KopeioAuthenticationSpec struct {
 type AwsAuthenticationSpec struct {
 	// Image is the AWS IAM Authenticator docker image to use
 	Image string `json:"image,omitempty"`
+	// BackendMode is the AWS IAM Authenticator backend to use. Default MountedFile
+	BackendMode string `json:"backendMode,omitempty"`
 	// MemoryRequest memory request of AWS IAM Authenticator container. Default 20Mi
 	MemoryRequest *resource.Quantity `json:"memoryRequest,omitempty"`
 	// CPURequest CPU request of AWS IAM Authenticator container. Default 10m
diff --git a/pkg/apis/kops/v1alpha2/cluster.go b/pkg/apis/kops/v1alpha2/cluster.go
index c408a0100d21d..a5f266350aca5 100644
--- a/pkg/apis/kops/v1alpha2/cluster.go
+++ b/pkg/apis/kops/v1alpha2/cluster.go
@@ -300,6 +300,8 @@ type KopeioAuthenticationSpec struct {
 type AwsAuthenticationSpec struct {
 	// Image is the AWS IAM Authenticator docker image to uses
 	Image string `json:"image,omitempty"`
+	// BackendMode is the AWS IAM Authenticator backend to use. Default MountedFile
+	BackendMode string `json:"backendMode,omitempty"`
 	// MemoryRequest memory request of AWS IAM Authenticator container. Default 20Mi
 	MemoryRequest *resource.Quantity `json:"memoryRequest,omitempty"`
 	// CPURequest CPU request of AWS IAM Authenticator container. Default 10m
diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
index 0251cbeacd4aa..709516ce262f5 100644
--- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
+++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
@@ -1184,6 +1184,7 @@ func Convert_kops_AuthorizationSpec_To_v1alpha2_AuthorizationSpec(in *kops.Autho
 
 func autoConvert_v1alpha2_AwsAuthenticationSpec_To_kops_AwsAuthenticationSpec(in *AwsAuthenticationSpec, out *kops.AwsAuthenticationSpec, s conversion.Scope) error {
 	out.Image = in.Image
+	out.BackendMode = in.BackendMode
 	out.MemoryRequest = in.MemoryRequest
 	out.CPURequest = in.CPURequest
 	out.MemoryLimit = in.MemoryLimit
@@ -1198,6 +1199,7 @@ func Convert_v1alpha2_AwsAuthenticationSpec_To_kops_AwsAuthenticationSpec(in *Aw
 
 func autoConvert_kops_AwsAuthenticationSpec_To_v1alpha2_AwsAuthenticationSpec(in *kops.AwsAuthenticationSpec, out *AwsAuthenticationSpec, s conversion.Scope) error {
 	out.Image = in.Image
+	out.BackendMode = in.BackendMode
 	out.MemoryRequest = in.MemoryRequest
 	out.CPURequest = in.CPURequest
 	out.MemoryLimit = in.MemoryLimit
diff --git a/upup/models/bindata.go b/upup/models/bindata.go
index 0d1c86dcb51e0..7244fa4a31f75 100644
--- a/upup/models/bindata.go
+++ b/upup/models/bindata.go
@@ -229,6 +229,7 @@ spec:
         - --config=/etc/aws-iam-authenticator/config.yaml
         - --state-dir=/var/aws-iam-authenticator
         - --kubeconfig-pregenerated=true
+        - --backend-mode={{ or .Authentication.Aws.BackendMode "MountedFile" }}
 
         resources:
           requests:
@@ -319,6 +320,7 @@ spec:
         - --config=/etc/aws-iam-authenticator/config.yaml
         - --state-dir=/var/aws-iam-authenticator
         - --kubeconfig-pregenerated=true
+        - --backend-mode={{ or .Authentication.Aws.BackendMode "MountedFile" }}
 
         resources:
           requests:
diff --git a/upup/models/cloudup/resources/addons/authentication.aws/k8s-1.10.yaml.template b/upup/models/cloudup/resources/addons/authentication.aws/k8s-1.10.yaml.template
index d7e6990a5b200..773148ed5c942 100644
--- a/upup/models/cloudup/resources/addons/authentication.aws/k8s-1.10.yaml.template
+++ b/upup/models/cloudup/resources/addons/authentication.aws/k8s-1.10.yaml.template
@@ -40,6 +40,7 @@ spec:
         - --config=/etc/aws-iam-authenticator/config.yaml
         - --state-dir=/var/aws-iam-authenticator
         - --kubeconfig-pregenerated=true
+        - --backend-mode={{ or .Authentication.Aws.BackendMode "MountedFile" }}
 
         resources:
           requests:
diff --git a/upup/models/cloudup/resources/addons/authentication.aws/k8s-1.12.yaml.template b/upup/models/cloudup/resources/addons/authentication.aws/k8s-1.12.yaml.template
index 31c8f665081b5..d238667ebb153 100644
--- a/upup/models/cloudup/resources/addons/authentication.aws/k8s-1.12.yaml.template
+++ b/upup/models/cloudup/resources/addons/authentication.aws/k8s-1.12.yaml.template
@@ -44,6 +44,7 @@ spec:
         - --config=/etc/aws-iam-authenticator/config.yaml
         - --state-dir=/var/aws-iam-authenticator
         - --kubeconfig-pregenerated=true
+        - --backend-mode={{ or .Authentication.Aws.BackendMode "MountedFile" }}
 
         resources:
           requests: