Creating the Worker Node Role

To create the worker node role and assign policies to it:

  1. Run the following command:
    # aws iam create-role \
    --role-name <role name> \
    --assume-role-policy-document <role policy document>

Where:

<role name>:  A name chosen for ease of reference; in our examples, we will use srgdemo-eks-svc-role.

<role policy document>:The location of a JSON document granting temporary security credentials to perform actions on resources and defining which resources are accessible. The downloadable package arcsight-platform-cloud-installer-XX.X.X.XXX.zip contains a ready-to-use document named WorkerNodesRolePolicyDocument.json in the arcsight-platform-cloud-installer-23.1.0.x/aws-scripts/objectdefs folder (after unzipping it). This document defines that the cluster can request temporary security credentials to eks.amazonaws.com only.

Example output:

{
  "Role": {
    "AssumeRolePolicyDocument": "<URL-encoded-JSON>",
    "RoleId": "AKIAIOSFODNN7EXAMPLE",
    "CreateDate": "2013-06-07T20:43:32.821Z",
    "RoleName": "Test-Role",
    "Path": "/",
    "Arn": "arn:aws:iam::123456789012:role/Test-Role"
    }
}
  1. Record the ARN (Amazon Resource Name) value in your AWS worksheet.

Example input and output:

# aws iam create-role \
--role-name srgdemo-workernodes-svc-role \
--assume-role-policy-document file://./jsons/WorkerNodesRolePolicyDocument.json
{
    "Role": {
        "Path": "/",
        "RoleName": "srgdemo-workernodes-svc-role",
        "RoleId": "AROARVXFDN4TICMZYPKJ2",
        "Arn": "arn:aws:iam::115370811111:role/srgdemo-workernodes-svc-role",
        "CreateDate": "2020-05-19T16:20:11Z",
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "ec2.amazonaws.com"
                    },
                    "Action": "sts:AssumeRole"
                }
            ]
        }
    }
}
  1. Attach a policy to the worker node role by running the following command:
    # aws iam attach-role-policy \
    --role-name <role name> \
    --policy-arn <policy arn>

Where:

<role name>:The role name you have chosen when creating a new role.

<policy arn>:The policy ARN from the description above.

  1. Repeat Step 3 each policy, changing the policy ARN to match.

Example commands:

# aws iam attach-role-policy \
--role-name srgdemo-workernodes-svc-role \
--policy-arn arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
# aws iam attach-role-policy \
--role-name srgdemo-workernodes-svc-role \
--policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
# aws iam attach-role-policy \
--role-name srgdemo-workernodes-svc-role \
--policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy

Next Step: Creating and Configuring the Bastion