Amazon EKS connector IAM role - Amazon EKS
Check for an existing connector roleCreating the Amazon EKS connector agent role
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon EKS connector IAM role

You can connect Kubernetes clusters to view them in your Amazon Web Services Management Console. To connect to a Kubernetes cluster, create an IAM role.

Check for an existing connector role

You can use the following procedure to check and see if your account already has the Amazon EKS connector role.

To check for the AmazonEKSConnectorAgentRole in the IAM console

  1. Open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the left navigation pane, choose Roles.

  3. Search the list of roles for AmazonEKSConnectorAgentRole. If a role that includes AmazonEKSConnectorAgentRole doesn't exist, then see Creating the Amazon EKS connector agent role to create the role. If a role that includes AmazonEKSConnectorAgentRole does exist, then select the role to view the attached policies.

  4. Choose Permissions.

  5. Ensure that the AmazonEKSClusterPolicy managed policy is attached to the role. If the policy is attached, your Amazon EKS cluster role is properly configured.

  6. Choose Trust relationships, and then choose Edit trust policy.

  7. Verify that the trust relationship contains the following policy. If the trust relationship matches the following policy, choose Cancel. If the trust relationship doesn't match, copy the policy into the Edit trust policy window and choose Update policy.

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ssm.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Creating the Amazon EKS connector agent role

You can use the Amazon Web Services Management Console or Amazon CloudFormation to create the connector agent role. Select the tab with the name of the tool that you want to use to create the role.

Amazon CLI

  1. Create a file named eks-connector-agent-trust-policy.json that contains the following JSON to use for the IAM role.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "ssm.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

  2. Create a file named eks-connector-agent-policy.json that contains the following JSON to use for the IAM role.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SsmControlChannel",
            "Effect": "Allow",
            "Action": [
                "ssmmessages:CreateControlChannel"
            ],
            "Resource": "arn:aws-cn:eks:*:*:cluster/*"
        },
        {
            "Sid": "ssmDataplaneOperations",
            "Effect": "Allow",
            "Action": [
                "ssmmessages:CreateDataChannel",
                "ssmmessages:OpenDataChannel",
                "ssmmessages:OpenControlChannel"
            ],
            "Resource": "*"
        }
    ]
}

  3. Create the Amazon EKS Connector agent role using the trust policy and policy you created in the previous list items.

    aws iam create-role \
     --role-name AmazonEKSConnectorAgentRole \
     --assume-role-policy-document file://eks-connector-agent-trust-policy.json

  4. Attach the policy to your Amazon EKS Connector agent role.

    aws iam put-role-policy \
     --role-name AmazonEKSConnectorAgentRole \
     --policy-name AmazonEKSConnectorAgentPolicy \
     --policy-document file://eks-connector-agent-policy.json
Amazon CloudFormation
To create your Amazon EKS connector agent role with Amazon CloudFormation.

  1. Save the following Amazon CloudFormation template to a text file on your local system.

    Note

    This template also creates the service-linked role that would otherwise be created when the registerCluster API is called. See Using roles to connect a Kubernetes cluster to Amazon EKS for details.

    ---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Provisions necessary resources needed to register clusters in EKS'
Parameters: {}
Resources:
  EKSConnectorSLR:
    Type: AWS::IAM::ServiceLinkedRole
    Properties:
      AWSServiceName: eks-connector.amazonaws.com

  EKSConnectorAgentRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action: [ 'sts:AssumeRole' ]
            Principal:
              Service: 'ssm.amazonaws.com'

  EKSConnectorAgentPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: EKSConnectorAgentPolicy
      Roles:
        - {Ref: 'EKSConnectorAgentRole'}
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: 'Allow'
            Action: [ 'ssmmessages:CreateControlChannel' ]
            Resource:
            - Fn::Sub: 'arn:${AWS::Partition}:eks:*:*:cluster/*'
          - Effect: 'Allow'
            Action: [ 'ssmmessages:CreateDataChannel', 'ssmmessages:OpenDataChannel', 'ssmmessages:OpenControlChannel' ]
            Resource: "*"
Outputs:
  EKSConnectorAgentRoleArn:
    Description: The agent role that EKS connector uses to communicate with Amazon Web Services.
    Value: !GetAtt EKSConnectorAgentRole.Arn

  2. Open the Amazon CloudFormation console at https://console.amazonaws.cn/cloudformation.

  3. Choose Create stack (either with new resources or existing resources.

  4. For Specify template, select Upload a template file, and then choose Choose file.

  5. Choose the file you created earlier, and then choose Next.

  6. For Stack name, enter a name for your role, such as eksConnectorAgentRole, and then choose Next.

  7. On the Configure stack options page, choose Next.

  8. On the Review page, review your information, acknowledge that the stack might create IAM resources, and then choose Create stack.