Help improve this page
Want to contribute to this user guide? Scroll to the bottom of this page and select Edit this page on GitHub. Your contributions will help make our user guide better for everyone.
Amazon EKS cluster IAM role
A Amazon EKS cluster IAM role is required for each cluster. Kubernetes clusters managed by Amazon EKS
use this role to manage nodes and the legacy
Cloud Provider
Before you can create Amazon EKS clusters, you must create an IAM role with either of the following IAM policies:
-
A custom IAM policy. The minimal permissions that follow allows the Kubernetes cluster to manage nodes, but doesn't allow the legacy Cloud Provider
to create load balancers with Elastic Load Balancing. Your custom IAM policy must have at least the following permissions: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "ForAnyValue:StringLike": { "aws:TagKeys": "kubernetes.io/cluster/*" } } }, { "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeNetworkInterfaces", "ec2:DescribeVpcs", "ec2:DescribeDhcpOptions", "ec2:DescribeAvailabilityZones", "kms:DescribeKey" ], "Resource": "*" } ] }
Note
Prior to October 3, 2023, AmazonEKSClusterPolicy was required on the IAM role for each cluster.
Prior to April 16, 2020, AmazonEKSServicePolicy and AmazonEKSClusterPolicy was required and the suggested name for the role was
eksServiceRole
. With the AWSServiceRoleForAmazonEKS
service-linked
role, the AmazonEKSServicePolicy policy is no longer required for clusters created on or
after April 16, 2020.
Check for an existing cluster role
You can use the following procedure to check and see if your account already has the Amazon EKS cluster role.
To check for the eksClusterRole
in
the IAM console
Open the IAM console at https://console.amazonaws.cn/iam/
. -
In the left navigation pane, choose Roles.
-
Search the list of roles for
eksClusterRole
. If a role that includeseksClusterRole
doesn't exist, then see Creating the Amazon EKS cluster role to create the role. If a role that includeseksClusterRole
does exist, then select the role to view the attached policies. -
Choose Permissions.
-
Ensure that the AmazonEKSClusterPolicy managed policy is attached to the role. If the policy is attached, your Amazon EKS cluster role is properly configured.
-
Choose Trust relationships, and then choose Edit trust policy.
-
Verify that the trust relationship contains the following policy. If the trust relationship matches the following policy, choose Cancel. If the trust relationship doesn't match, copy the policy into the Edit trust policy window and choose Update policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "eks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
Creating the Amazon EKS cluster role
You can use the Amazon Web Services Management Console or the Amazon CLI to create the cluster role.