IAM Roles
An IAM role is an IAM (AWS Identity and Access Management) entity that defines a set of permissions for making AWS service requests and manipulating various resources.
Roles are shareable. Instead of creating new roles, you might use existing roles your organization has previously created. IAM is not region dependent, roles can be reused in all regions your organization uses.
You will create two roles: one for EKS (Elastic Kubernetes Service) and one for worker nodes, and assign them specific policies to define permissions.
Roles, policy names, and corresponding policy ARNs are shown in the following table:
| Role | Policy Name | Policy ARN |
|---|---|---|
| EKS | AmazonEKSClusterPolicy | arn:aws:iam::aws:policy/AmazonEKSClusterPolicy |
| EKS |
AmazonEKSServicePolicy |
arn:aws:iam::aws:policy/AmazonEKSServicePolicy |
| Worker Nodes | AmazonEKSWorkerNodePolicy | arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy |
| Worker Nodes | AmazonEC2ContainerRegistryReadOnly | arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly |
| Worker Nodes |
AmazonEKS_CNI_Policy |
arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy |
EKS Policies
EKS requires the following policies to be granted:
- AmazonEKSClusterPolicyThis policy provides Kubernetes the permissions it requires to manage resources on your behalf. Kubernetes requires EC2: CreateTags permissions to place identifying information on EC2 resources including but not limited to Instances, Security Groups, and Elastic Network Interfaces.
ARN:arn:aws:iam::aws:policy/AmazonEKSClusterPolicy - AmazonEKSServicePolicyThis policy allows Amazon Elastic Container Service for Kubernetes to create and manage the necessary resources to operate EKS Clusters.
ARN:arn:aws:iam::aws:policy/AmazonEKSServicePolicy
Worker Node Policies
For worker nodes in EKS, the following policies must be granted:
- AmazonEKSWorkerNodePolicyThis policy allows Amazon EKS worker nodes to connect to Amazon EKS Clusters.
ARN:arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy - AmazonEC2ContainerRegistryReadOnlyProvides read-only access to Amazon EC2 Container Registry repositories.
ARN:arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly - AmazonEKS_CNI_PolicyThis policy provides the Amazon VPC CNI Plugin (amazon-vpc-cni-k8s) the permissions it requires to modify the IP address configuration on your EKS worker nodes. This permission set enables the CNI to list, describe, and modify Elastic Network Interfaces on your behalf. For more information about the AWS VPC CNI Plugin, see the link here:https://github.com/aws/amazon-vpc-cni-k8s.
ARN:arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
Next Step: Creating the EKS Role