Create an Argo CD capability using the Amazon CLI - Amazon EKS
PrerequisitesStep 1: Create an IAM Capability RoleStep 2: Create the Argo CD capabilityStep 3: Verify the capability is activeStep 4: Verify custom resources are availableNext steps
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Help improve this page

To contribute to this user guide, choose the Edit this page on GitHub link that is located in the right pane of every page.

Create an Argo CD capability using the Amazon CLI

This topic describes how to create an Argo CD capability using the Amazon CLI.

Prerequisites

  • Amazon CLI – Version 2.12.3 or later. To check your version, run aws --version. For more information, see Installing in the Amazon Command Line Interface User Guide.

  • kubectl – A command line tool for working with Kubernetes clusters. For more information, see Set up kubectl and eksctl.

  • Amazon Identity Center configured – Argo CD requires Amazon Identity Center for authentication. Local users are not supported. If you don’t have Amazon Identity Center set up, see Getting started with Amazon Identity Center to create an Identity Center instance, and Add users and Add groups to create users and groups for Argo CD access.

Step 1: Create an IAM Capability Role

Create a trust policy file:

cat > argocd-trust-policy.json << 'EOF'
{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "capabilities.eks.amazonaws.com"
      },
      "Action": [
        "sts:AssumeRole",
        "sts:TagSession"
      ]
    }
  ]
}
EOF

Create the IAM role:

aws iam create-role \
  --role-name ArgoCDCapabilityRole \
  --assume-role-policy-document file://argocd-trust-policy.json
Note

If you plan to use the optional integrations with Amazon Secrets Manager or Amazon CodeConnections, you’ll need to add permissions to the role. For IAM policy examples and configuration guidance, see Manage application secrets with Amazon Secrets Manager and Connect to Git repositories with Amazon CodeConnections.

Step 2: Create the Argo CD capability

Create the Argo CD capability resource on your cluster.

First, set environment variables for your Identity Center configuration:

# Get your Identity Center instance ARN (replace region if your IDC instance is in a different region)
export IDC_INSTANCE_ARN=$(aws sso-admin list-instances --region [.replaceable]`region` --query 'Instances[0].InstanceArn' --output text)

# Get a user ID for RBAC mapping (replace with your username and region if needed)
export IDC_USER_ID=$(aws identitystore list-users \
  --region [.replaceable]`region` \
  --identity-store-id $(aws sso-admin list-instances --region [.replaceable]`region` --query 'Instances[0].IdentityStoreId' --output text) \
  --query 'Users[?UserName==`your-username`].UserId' --output text)

echo "IDC_INSTANCE_ARN=$IDC_INSTANCE_ARN"
echo "IDC_USER_ID=$IDC_USER_ID"

Create the capability with Identity Center integration. Replace region-code with the Amazon Region where your cluster is located and my-cluster with your cluster name:

aws eks create-capability \
  --region region-code \
  --cluster-name my-cluster \
  --capability-name my-argocd \
  --type ARGOCD \
  --role-arn arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/ArgoCDCapabilityRole \
  --delete-propagation-policy RETAIN \
  --configuration '{
    "argoCd": {
      "awsIdc": {
        "idcInstanceArn": "'$IDC_INSTANCE_ARN'",
        "idcRegion": "'[.replaceable]`region-code`'"
      },
      "rbacRoleMappings": [{
        "role": "ADMIN",
        "identities": [{
          "id": "'$IDC_USER_ID'",
          "type": "SSO_USER"
        }]
      }]
    }
  }'

The command returns immediately, but the capability takes some time to become active as EKS creates the required capability infrastructure and components. EKS will install the Kubernetes Custom Resource Definitions related to this capability in your cluster as it is being created.

Note

If you receive an error that the cluster doesn’t exist or you don’t have permissions, verify:

  • The cluster name is correct

  • Your Amazon CLI is configured for the correct region

  • You have the required IAM permissions

Step 3: Verify the capability is active

Wait for the capability to become active. Replace region-code with the Amazon Region where your cluster is located and my-cluster with your cluster name.

aws eks describe-capability \
  --region region-code \
  --cluster-name my-cluster \
  --capability-name my-argocd \
  --query 'capability.status' \
  --output text

The capability is ready when the status shows ACTIVE. Don’t continue to the next step until the status is ACTIVE.

You can also view the full capability details:

aws eks describe-capability \
  --region region-code \
  --cluster-name my-cluster \
  --capability-name my-argocd

Step 4: Verify custom resources are available

After the capability is active, verify that Argo CD custom resources are available in your cluster:

kubectl api-resources | grep argoproj.io

You should see Application and ApplicationSet resource types listed.

Next steps