Create the following IAM Role and Policy:
EKS external cluster management role: This role is used by the EKS control plane to manage the AWS resources on behalf of the customer.
Define the trust policy: Steps to define the trust policy:
$ cat <<EOF > integration-trust-policy.json { "Version": "2012-10-17", "Statement": [ { "Sid": "EKSConnectorAccess", "Effect": "Allow", "Principal": { "Service": [ "eks-connector.amazonaws.com", "eks.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] } EOF
|
$ cat <<EOF > integration-policy-document.json { "Version": "2012-10-17", "Statement": [ { "Sid": "AccessSSMService", "Effect": "Allow", "Action": [ "ssm:CreateActivation", "ssm:DescribeInstanceInformation", "ssm:DeleteActivation" ], "Resource": "*" }, { "Sid": "ConnectorAgentStartSession", "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": [ "arn:aws:eks:*:*:cluster/*" "arn:aws:ssm:*::document/AmazonECS-ExecuteInteractiveCommand", "arn:aws:ssm:*::document/AmazonEKS-ExecuteNonInteractiveCommand" ] }, { "Sid": "ConnectorAgentDeregister", "Effect": "Allow", "Action": [ "ssm:DeregisterManagedInstance" ], "Resource": [ "arn:aws:eks:*:*:cluster/*" ] }, { "Sid": "PassAnyRoleToSsm", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": [ "ssm.amazonaws.com" ] } } } ] } EOF
|
$ aws iam create-role \ --role-name eks-external-cluster-integration \ --assume-role-policy-document file://integration-trust-policy.json |
$ aws iam put-role-policy \ --role-name eks-external-cluster-integration \ --policy-name eks-connector-policy \ --policy-document file://integration-policy-document.json
|
This role is used by the EKS connector agent to communicate back to AWS from the Kubernetes cluster.
Define the trust policy:
$ cat <<EOF > agent-trust-policy.json { "Version": "2012-10-17", "Statement": [ { "Sid": "SSMAccess", "Effect": "Allow", "Principal": { "Service": [ "ssm.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] } EOF
|
$ cat <<EOF > agent-policy-document.json { "Version": "2012-10-17", "Statement": [ { "Sid": "SsmControlChannel", "Effect": "Allow", "Action": [ "ssmmessages:CreateControlChannel" ], "Resource": "arn:aws:eks:*:*:cluster/*" }, { "Sid": "ssmDataplaneOperations", "Effect": "Allow", "Action": [ "ssmmessages:CreateDataChannel", "ssmmessages:OpenDataChannel", "ssmmessages:OpenControlChannel" ], "Resource": "*" } ] } EOF
|
$ aws iam create-role \ --role-name eks-connector-agent \ --assume-role-policy-document file://agent-trust-policy.json
|
$ aws iam put-role-policy \ --role-name eks-connector-agent \ --policy-name eks-connector-agent-policy \ --policy-document file://agent-policy-document.json
|