Amazon EKS node IAM role
The Amazon EKS node kubelet
daemon makes calls to Amazon APIs on your behalf. Nodes
receive permissions for these API calls through an IAM instance profile and associated
policies. Before you can launch nodes and register them into a cluster, you must create an
IAM role for those nodes to use when they are launched. This requirement applies to nodes
launched with the Amazon EKS optimized AMI provided by Amazon, or with any other node AMIs that
you intend to use.
You can't use the same role that is used to create any clusters.
Before you create nodes, you must create an IAM role with the following IAM policies:
-
Either the
AmazonEKS_CNI_Policy
managed policy (if you created your cluster with theIPv4
family) or an IPv6 policy that you create (if you created your cluster with theIPv6
family). Rather than attaching the policy to this role however, we recommend that you attach the policy to a separate role used specifically for the Amazon VPC CNI add-on. For more information about creating a separate role for the Amazon VPC CNI add-on, see Configuring the Amazon VPC CNI plugin for Kubernetes to use IAM roles for service accounts.
The Amazon EC2 node groups must have a different IAM role than the Fargate profile. For more information, see Amazon EKS pod execution IAM role.
Check for an existing node role
You can use the following procedure to check and see if your account already has the Amazon EKS node role.
To check for the
eksNodeRole
in the IAM console
Open the IAM console at https://console.amazonaws.cn/iam/
. -
In the left navigation pane, choose Roles.
-
Search the list of roles for
eksNodeRole
,AmazonEKSNodeRole
, orNodeInstanceRole
. If a role with one of those names doesn't exist, then see Creating the Amazon EKS node IAM role to create the role. If a role that containseksNodeRole
,AmazonEKSNodeRole
, orNodeInstanceRole
does exist, then select the role to view the attached policies. -
Choose Permissions.
-
Ensure that the AmazonEKSWorkerNodePolicy and AmazonEC2ContainerRegistryReadOnly managed policies are attached to the role.
Note If the AmazonEKS_CNI_Policy policy is attached to the role, we recommend removing it and attaching it to an IAM role that is mapped to the
aws-node
Kubernetes service account instead. For more information, see Configuring the Amazon VPC CNI plugin for Kubernetes to use IAM roles for service accounts. -
Choose Trust relationships, and then choose Edit trust policy.
-
Verify that the trust relationship contains the following policy. If the trust relationship matches the following policy, choose Cancel. If the trust relationship doesn't match, copy the policy into the Edit trust policy window and choose Update policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
Creating the Amazon EKS node IAM role
You can create the node IAM role with the Amazon Web Services Management Console or the Amazon CLI. Select the tab with the name of the tool that you want to create the role with.