Prepare credentials for hybrid nodes - Amazon EKS
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Help improve this page

Want to contribute to this user guide? Choose the Edit this page on GitHub link that is located in the right pane of every page. Your contributions will help make our user guide better for everyone.

Prepare credentials for hybrid nodes

Amazon EKS Hybrid Nodes use temporary IAM credentials provisioned by Amazon SSM hybrid activations or Amazon IAM Roles Anywhere to authenticate with the Amazon EKS cluster. You must use either Amazon SSM hybrid activations or Amazon IAM Roles Anywhere with the Amazon EKS Hybrid Nodes CLI (nodeadm). You should not use both Amazon SSM hybrid activations and Amazon IAM Roles Anywhere. It is recommended to use Amazon SSM hybrid activations if you do not have existing Public Key Infrastructure (PKI) with a Certificate Authority (CA) and certificates for your on-premises environments. If you do have existing PKI and certificates on-premises, use Amazon IAM Roles Anywhere.

Hybrid Nodes IAM Role

Before you can connect hybrid nodes to your Amazon EKS cluster, you must create an IAM role that will be used with Amazon SSM hybrid activations or Amazon IAM Roles Anywhere for your hybrid nodes credentials. After cluster creation, you will use this role with an Amazon EKS access entry or aws-auth ConfigMap entry to map the IAM role to Kubernetes Role-Based Access Control (RBAC). For more information on associating the Hybrid Nodes IAM role with Kubernetes RBAC, see Prepare cluster access for hybrid nodes.

The Hybrid Nodes IAM role must have the following permissions.

  • Permissions for nodeadm to use the eks:DescribeCluster action to gather information about the cluster used for connecting hybrid nodes to the cluster. If you do not enable the eks:DescribeCluster action, then you must pass your Kubernetes API endpoint, cluster CA bundle, and service IPv4 CIDR in the node configuration you pass to nodeadm when you run nodeadm init.

  • Permissions for the kubelet to use container images from Amazon Elastic Container Registry (Amazon ECR) as defined in the AmazonEC2ContainerRegistryPullOnly policy.

  • If using Amazon SSM, permissions for nodeadm init to use Amazon SSM hybrid activations as defined in the aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html policy.

  • If using Amazon SSM, permissions to use the ssm:DeregisterManagedInstance action and ssm:DescribeInstanceInformation action for nodeadm uninstall to deregister instances.

  • (Optional) Permissions for the Amazon EKS Pod Identity Agent to use the eks-auth:AssumeRoleForPodIdentity action to retrieve credentials for pods.

Setup Amazon SSM hybrid activations

Before setting up Amazon SSM hybrid activations, you must have a Hybrid Nodes IAM role created and configured. For more information, see Create the Hybrid Nodes IAM role. Follow the instructions at Create a hybrid activation to register nodes with Systems Manager in the Amazon Systems Manager User Guide to create an Amazon SSM hybrid activation for your hybrid nodes. The Activation Code and ID you receive is used with nodeadm when you register your hosts as hybrid nodes with your Amazon EKS cluster. You can come back to this step at a later point after you have created and prepared your Amazon EKS clusters for hybrid nodes.

Important

Systems Manager immediately returns the Activation Code and ID to the console or the command window, depending on how you created the activation. Copy this information and store it in a safe place. If you navigate away from the console or close the command window, you might lose this information. If you lose it, you must create a new activation.

By default, Amazon SSM hybrid activations are active for 24 hours. You can alternatively specify an --expiration-date when you create your hybrid activation in timestamp format, such as 2024-08-01T00:00:00. When you use Amazon SSM as your credential provider, the node name for your hybrid nodes is not configurable, and is auto-generated by Amazon SSM. You can view and manage the Amazon SSM Managed Instances in the Amazon Systems Manager console under Fleet Manager. You can register up to 1,000 standard hybrid-activated nodes per account per Amazon Region at no additional cost. However, registering more than 1,000 hybrid nodes requires that you activate the advanced-instances tier. There is a charge to use the advanced-instances tier that is not included in the Amazon EKS Hybrid Nodes pricing. For more information, see Amazon Systems Manager Pricing.

See the example below for how to create an Amazon SSM hybrid activation with your Hybrid Nodes IAM role. When you use Amazon SSM hybrid activations for your hybrid nodes credentials, the names of your hybrid nodes will have the format mi-012345678abcdefgh and the temporary credentials provisioned by Amazon SSM are valid for 1 hour. You cannot alter the node name or credential duration when using Amazon SSM as your credential provider. The temporary credentials are automatically rotated by Amazon SSM and the rotation does not impact the status of your nodes or applications.

It is recommended to use one Amazon SSM hybrid activation per EKS cluster to scope the Amazon SSM ssm:DeregisterManagedInstance permission of the Hybrid Nodes IAM role to only be able to deregister instances that are associated with your Amazon SSM hybrid activation. In the example on this page, a tag with the EKS cluster ARN is used, which can be used to map your Amazon SSM hybrid activation to the EKS cluster. You can alternatively use your preferred tag and method of scoping the Amazon SSM permissions based on your permission boundaries and requirements. The REGISTRATION_LIMIT option in the command below is an integer used to limit the number of machines that can use the Amazon SSM hybrid activation (for example 10)

aws ssm create-activation \ --region AWS_REGION \ --default-instance-name eks-hybrid-nodes \ --description "Activation for EKS hybrid nodes" \ --iam-role AmazonEKSHybridNodesRole \ --tags Key=EKSClusterARN,Value=arn:aws:eks:AWS_REGION:AWS_ACCOUNT_ID:cluster/CLUSTER_NAME \ --registration-limit REGISTRATION_LIMIT

Review the instructions on Create a hybrid activation to register nodes with Systems Manager for more information about the available configuration settings for Amazon SSM hybrid activations.

Setup Amazon IAM Roles Anywhere

Follow the instructions at Getting started with IAM Roles Anywhere in the IAM Roles Anywhere User Guide to set up the trust anchor and profile you will use for temporary IAM credentials for your Hybrid Nodes IAM role. When you create your profile, you can create it without adding any roles. You can create this profile, return to these steps to create your Hybrid Nodes IAM role, and then add your role to your profile after it is created. You can alternatively use the Amazon CloudFormation steps later on this page to complete your IAM Roles Anywhere setup for hybrid nodes.

When you add the Hybrid Nodes IAM role to your profile, select Accept custom role session name in the Custom role session name panel at the bottom of the Edit profile page in the Amazon IAM Roles Anywhere console. This corresponds to the acceptRoleSessionName field of the CreateProfile API. This allows you to supply a custom node name for your hybrid nodes in the configuration you pass to nodeadm during the bootstrap process. Passing a custom node name during the nodeadm init process is required. You can update your profile to accept a custom role session name after creating your profile.

You can configure the credential validity duration with Amazon IAM Roles Anywhere through the durationSeconds field of your Amazon IAM Roles Anywhere profile. The default duration is 1 hour with a maximum of 12 hours. The MaxSessionDuration setting on your Hybrid Nodes IAM role must be greater than the durationSeconds setting on your Amazon IAM Roles Anywhere profile. For more information on MaxSessionDuration, see UpdateRole API documentation.

The per-machine certificates and keys you generate from your certificate authority (CA) must be placed in the /etc/iam/pki directory on each hybrid node with the file names server.pem for the certificate and server.key for the key.

Create the Hybrid Nodes IAM role

To run the steps in this section, the IAM principal using the Amazon console or Amazon CLI must have the following permissions.

  • iam:CreatePolicy

  • iam:CreateRole

  • iam:AttachRolePolicy

  • If using Amazon IAM Roles Anywhere

    • rolesanywhere:CreateTrustAnchor

    • rolesanywhere:CreateProfile

    • iam:PassRole

Amazon CloudFormation

Install and configure the Amazon CLI, if you haven’t already. See Installing or updating to the last version of the Amazon CLI.

Steps for Amazon SSM hybrid activations

The CloudFormation stack creates the Hybrid Nodes IAM Role with the permissions outlined above. The CloudFormation template does not create the Amazon SSM hybrid activation.

  1. Download the Amazon SSM CloudFormation template for hybrid nodes:

    curl -OL 'https://raw.githubusercontent.com/aws/eks-hybrid/refs/heads/main/example/hybrid-ssm-cfn.yaml'
  2. Create a cfn-ssm-parameters.json with the following options:

    1. Replace ROLE_NAME with the name for your Hybrid Nodes IAM role. By default, the CloudFormation template uses AmazonEKSHybridNodesRole as the name of the role it creates if you do not specify a name.

    2. Replace TAG_KEY with the Amazon SSM resource tag key you used when creating your Amazon SSM hybrid activation. The combination of the tag key and tag value is used in the condition for the ssm:DeregisterManagedInstance to only allow the Hybrid Nodes IAM role to deregister the Amazon SSM managed instances that are associated with your Amazon SSM hybrid activation. In the CloudFormation template, TAG_KEY defaults to EKSClusterARN.

    3. Replace TAG_VALUE with the Amazon SSM resource tag value you used when creating your Amazon SSM hybrid activation. The combination of the tag key and tag value is used in the condition for the ssm:DeregisterManagedInstance to only allow the Hybrid Nodes IAM role to deregister the Amazon SSM managed instances that are associated with your Amazon SSM hybrid activation. If you are using the default TAG_KEY of EKSClusterARN, then pass your EKS cluster ARN as the TAG_VALUE. EKS cluster ARNs have the format arn:aws:eks:AWS_REGION:AWS_ACCOUNT_ID:cluster/CLUSTER_NAME.

      { "Parameters": { "RoleName": "ROLE_NAME", "SSMDeregisterConditionTagKey": "TAG_KEY", "SSMDeregisterConditionTagValue": "TAG_VALUE" } }
  3. Deploy the CloudFormation stack. Replace STACK_NAME with your name for the CloudFormation stack.

    aws cloudformation deploy \ --stack-name STACK_NAME \ --template-file hybrid-ssm-cfn.yaml \ --parameter-overrides file://cfn-ssm-parameters.json \ --capabilities CAPABILITY_NAMED_IAM

Steps for Amazon IAM Roles Anywhere

The CloudFormation stack creates the Amazon IAM Roles Anywhere trust anchor with the certificate authority (CA) you configure, creates the Amazon IAM Roles Anywhere profile, and creates the Hybrid Nodes IAM role with the permissions outlined previously.

  1. To set up a certificate authority (CA)

    1. To use an Amazon Private CA resource, open the Amazon Private Certificate Authority console. Follow the instructions in the Amazon Private CA User Guide.

    2. To use an external CA, follow the instructions provided by the CA. You provide the certificate body in a later step.

    3. Certificates issued from public CAs cannot be used as trust anchors.

  2. Download the Amazon IAM Roles Anywhere CloudFormation template for hybrid nodes

    curl -OL 'https://raw.githubusercontent.com/aws/eks-hybrid/refs/heads/main/example/hybrid-ira-cfn.yaml'
  3. Create a cfn-iamra-parameters.json with the following options:

    1. Replace ROLE_NAME with the name for your Hybrid Nodes IAM role. By default, the CloudFormation template uses AmazonEKSHybridNodesRole as the name of the role it creates if you do not specify a name.

    2. Replace CERT_ATTRIBUTE with the per-machine certificate attribute that uniquely identifies your host. The certificate attribute you use must match the nodeName you use for the nodeadm configuration when you connect hybrid nodes to your cluster. For more information, see the Hybrid nodes nodeadm reference. By default, the CloudFormation template uses ${aws:PrincipalTag/x509Subject/CN} as the CERT_ATTRIBUTE, which corresponds to the CN field of your per-machine certificates. You can alternatively pass $(aws:PrincipalTag/x509SAN/Name/CN} as your CERT_ATTRIBUTE.

    3. Replace CA_CERT_BODY with the certificate body of your CA without line breaks. The CA_CERT_BODY must be in Privacy Enhanced Mail (PEM) format. If you have a CA certificate in PEM format, remove the line breaks and BEGIN CERTIFICATE and END CERTIFICATE lines before placing the CA certificate body in your cfn-iamra-parameters.json file.

      { "Parameters": { "RoleName": "ROLE_NAME", "CertAttributeTrustPolicy": "CERT_ATTRIBUTE", "CABundleCert": "CA_CERT_BODY" } }
  4. Deploy the CloudFormation template. Replace STACK_NAME with your name for the CloudFormation stack.

    aws cloudformation deploy \ --stack-name STACK_NAME \ --template-file hybrid-ira-cfn.yaml \ --parameter-overrides file://cfn-iamra-parameters.json --capabilities CAPABILITY_NAMED_IAM

Amazon CLI

Install and configure the Amazon CLI, if you haven’t already. See Installing or updating to the last version of the Amazon CLI.

Create EKS Describe Cluster Policy

  1. Create a file named eks-describe-cluster-policy.json with the following contents:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "eks:DescribeCluster" ], "Resource": "*" } ] }
  2. Create the policy with the following command:

    aws iam create-policy \ --policy-name EKSDescribeClusterPolicy \ --policy-document file://eks-describe-cluster-policy.json

Steps for Amazon SSM hybrid activations

  1. Create a file named eks-hybrid-ssm-policy.json with the following contents. The policy grants permission for two actions ssm:DescribeInstanceInformation and ssm:DeregisterManagedInstance. The policy restricts the ssm:DeregisterManagedInstance permission to Amazon SSM managed instances associated with your Amazon SSM hybrid activation based on the resource tag you specify in your trust policy.

    1. Replace AWS_REGION with the Amazon Region for your Amazon SSM hybrid activation.

    2. Replace AWS_ACCOUNT_ID with your Amazon account ID.

    3. Replace TAG_KEY with the Amazon SSM resource tag key you used when creating your Amazon SSM hybrid activation. The combination of the tag key and tag value is used in the condition for the ssm:DeregisterManagedInstance to only allow the Hybrid Nodes IAM role to deregister the Amazon SSM managed instances that are associated with your Amazon SSM hybrid activation. In the CloudFormation template, TAG_KEY defaults to EKSClusterARN.

    4. Replace TAG_VALUE with the Amazon SSM resource tag value you used when creating your Amazon SSM hybrid activation. The combination of the tag key and tag value is used in the condition for the ssm:DeregisterManagedInstance to only allow the Hybrid Nodes IAM role to deregister the Amazon SSM managed instances that are associated with your Amazon SSM hybrid activation. If you are using the default TAG_KEY of EKSClusterARN, then pass your EKS cluster ARN as the TAG_VALUE. EKS cluster ARNs have the format arn:aws:eks:AWS_REGION:AWS_ACCOUNT_ID:cluster/CLUSTER_NAME.

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ssm:DescribeInstanceInformation", "Resource": "*" }, { "Effect": "Allow", "Action": "ssm:DeregisterManagedInstance", "Resource": "arn:aws:ssm:AWS_REGION:AWS_ACCOUNT_ID:managed-instance/*", "Condition": { "StringEquals": { "ssm:resourceTag/TAG_KEY": "TAG_VALUE" } } } ] }
  2. Create the policy with the following command

    aws iam create-policy \ --policy-name EKSHybridSSMPolicy \ --policy-document file://eks-hybrid-ssm-policy.json
  3. Create a file named eks-hybrid-ssm-trust.json. Replace AWS_REGION with the Amazon Region of your Amazon SSM hybrid activation and AWS_ACCOUNT_ID with your Amazon account ID.

    { "Version":"2012-10-17", "Statement":[ { "Sid":"", "Effect":"Allow", "Principal":{ "Service":"ssm.amazonaws.com" }, "Action":"sts:AssumeRole", "Condition":{ "StringEquals":{ "aws:SourceAccount":"AWS_ACCOUNT_ID" }, "ArnEquals":{ "aws:SourceArn":"arn:aws:ssm:AWS_REGION:AWS_ACCOUNT_ID:*" } } } ] }
  4. Create the role with the following command.

    aws iam create-role \ --role-name AmazonEKSHybridNodesRole \ --assume-role-policy-document file://eks-hybrid-ssm-trust.json
  5. Attach the EKSDescribeClusterPolicy and the EKSHybridSSMPolicy you created in the previous steps. Replace AWS_ACCOUNT_ID with your Amazon account ID.

    aws iam attach-role-policy \ --role-name AmazonEKSHybridNodesRole \ --policy-arn arn:aws:iam::AWS_ACCOUNT_ID:policy/EKSDescribeClusterPolicy
    aws iam attach-role-policy \ --role-name AmazonEKSHybridNodesRole \ --policy-arn arn:aws:iam::AWS_ACCOUNT_ID:policy/EKSHybridSSMPolicy
  6. Attach the AmazonEC2ContainerRegistryPullOnly and AmazonSSMManagedInstanceCore Amazon managed policies.

    aws iam attach-role-policy \ --role-name AmazonEKSHybridNodesRole \ --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly
    aws iam attach-role-policy \ --role-name AmazonEKSHybridNodesRole \ --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore

Steps for Amazon IAM Roles Anywhere

To use Amazon IAM Roles Anywhere, you must set up your Amazon IAM Roles Anywhere trust anchor before creating the Hybrid Nodes IAM Role. See Setup Amazon IAM Roles Anywhere for instructions.

  1. Create a file named eks-hybrid-iamra-trust.json. Replace TRUST_ANCHOR ARN with the ARN of the trust anchor you created in the Setup Amazon IAM Roles Anywhere steps. The condition in this trust policy restricts the ability of Amazon IAM Roles Anywhere to assume the Hybrid Nodes IAM role to exchange temporary IAM credentials only when the role session name matches the CN in the x509 certificate installed on your hybrid nodes. You can alternatively use other certificate attributes to uniquely identify your node. The certificate attribute that you use in the trust policy must correspond to the nodeName you set in your nodeadm configuration. For more information, see the Hybrid nodes nodeadm reference.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "rolesanywhere.amazonaws.com" }, "Action": [ "sts:TagSession", "sts:SetSourceIdentity" ], "Condition": { "ArnEquals": { "aws:SourceArn": "TRUST_ANCHOR_ARN" } } }, { "Effect": "Allow", "Principal": { "Service": "rolesanywhere.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:RoleSessionName": "${aws:PrincipalTag/x509Subject/CN}" }, "ArnEquals": { "aws:SourceArn": "TRUST_ANCHOR_ARN" } } } ] }
  2. Create the role with the following command.

    aws iam create-role \ --role-name AmazonEKSHybridNodesRole \ --assume-role-policy-document file://eks-hybrid-iamra-trust.json
  3. Attach the EKSDescribeClusterPolicy you created in the previous steps. Replace AWS_ACCOUNT_ID with your Amazon account ID.

    aws iam attach-role-policy \ --role-name AmazonEKSHybridNodesRole \ --policy-arn arn:aws:iam::AWS_ACCOUNT_ID:policy/EKSDescribeClusterPolicy
  4. Attach the AmazonEC2ContainerRegistryPullOnly Amazon managed policy

    aws iam attach-role-policy \ --role-name AmazonEKSHybridNodesRole \ --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly

Amazon Management Console

Create EKS Describe Cluster Policy

  1. Open the Amazon IAM console

  2. In the left navigation pane, choose Policies.

  3. On the Policies page, choose Create policy.

  4. On the Specify permissions page, in the Select a service panel, choose EKS.

    1. Filter actions for DescribeCluster and select the DescribeCluster Read action.

    2. Choose Next.

  5. On the Review and create page

    1. Enter a Policy name for your policy such as EKSDescribeClusterPolicy.

    2. Choose Create policy.

Steps for Amazon SSM hybrid activations

  1. Open the Amazon IAM console

  2. In the left navigation pane, choose Policies.

  3. On the Policies page, choose Create policy.

  4. On the Specify permissions page, in the Policy editor top right navigation, choose JSON. Paste the following snippet. Replace AWS_REGION with the Amazon Region of your Amazon SSM hybrid activation and replace AWS_ACCOUNT_ID with your Amazon account ID. Replace TAG_KEY and TAG_VALUE with the Amazon SSM resource tag key you used when creating your Amazon SSM hybrid activation.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ssm:DescribeInstanceInformation", "Resource": "*" }, { "Effect": "Allow", "Action": "ssm:DeregisterManagedInstance", "Resource": "arn:aws:ssm:AWS_REGION:AWS_ACCOUNT_ID:managed-instance/*", "Condition": { "StringEquals": { "ssm:resourceTag/TAG_KEY": "TAG_VALUE" } } } ] }
    1. Choose Next.

  5. On the Review and Create page.

    1. Enter a Policy name for your policy such as EKSHybridSSMPolicy

    2. Choose Create Policy.

  6. In the left navigation pane, choose Roles.

  7. On the Roles page, choose Create role.

  8. On the Select trusted entity page, do the following:

    1. In the Trusted entity type section, choose Custom trust policy. Paste the following into the Custom trust policy editor. Replace AWS_REGION with the Amazon Region of your Amazon SSM hybrid activation and AWS_ACCOUNT_ID with your Amazon account ID.

      { "Version":"2012-10-17", "Statement":[ { "Sid":"", "Effect":"Allow", "Principal":{ "Service":"ssm.amazonaws.com" }, "Action":"sts:AssumeRole", "Condition":{ "StringEquals":{ "aws:SourceAccount":"AWS_ACCOUNT_ID" }, "ArnEquals":{ "aws:SourceArn":"arn:aws:ssm:AWS_REGION:AWS_ACCOUNT_ID:*" } } } ] }
    2. Choose Next.

  9. On the Add permissions page, attach a custom policy or do the following:

    1. In the Filter policies box, enter EKSDescribeClusterPolicy, or the name of the policy you created above. Select the check box to the left of your policy name in the search results.

    2. In the Filter policies box, enter EKSHybridSSMPolicy, or the name of the policy you created above. Select the check box to the left of your policy name in the search results.

    3. In the Filter policies box, enter AmazonEC2ContainerRegistryPullOnly. Select the check box to the left of AmazonEC2ContainerRegistryPullOnly in the search results.

    4. In the Filter policies box, enter AmazonSSMManagedInstanceCore. Select the check box to the left of AmazonSSMManagedInstanceCore in the search results.

    5. Choose Next.

  10. On the Name, review, and create page, do the following:

    1. For Role name, enter a unique name for your role, such as AmazonEKSHybridNodesRole.

    2. For Description, replace the current text with descriptive text such as Amazon EKS - Hybrid Nodes role.

    3. Choose Create role.

Steps for Amazon IAM Roles Anywhere

To use Amazon IAM Roles Anywhere, you must set up your Amazon IAM Roles Anywhere trust anchor before creating the Hybrid Nodes IAM Role. See Setup Amazon IAM Roles Anywhere for instructions.

  1. Open the Amazon IAM console

  2. In the left navigation pane, choose Roles.

  3. On the Roles page, choose Create role.

  4. On the Select trusted entity page, do the following:

    1. In the Trusted entity type section, choose Custom trust policy. Paste the following into the Custom trust policy editor. Replace TRUST_ANCHOR ARN with the ARN of the trust anchor you created in the Setup Amazon IAM Roles Anywhere steps. The condition in this trust policy restricts the ability of Amazon IAM Roles Anywhere to assume the Hybrid Nodes IAM role to exchange temporary IAM credentials only when the role session name matches the CN in the x509 certificate installed on your hybrid nodes. You can alternatively use other certificate attributes to uniquely identify your node. The certificate attribute that you use in the trust policy must correspond to the nodeName you set in your nodeadm configuration. For more information, see the Hybrid nodes nodeadm reference.

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "rolesanywhere.amazonaws.com" }, "Action": [ "sts:TagSession", "sts:SetSourceIdentity" ], "Condition": { "ArnEquals": { "aws:SourceArn": "TRUST_ANCHOR_ARN" } } }, { "Effect": "Allow", "Principal": { "Service": "rolesanywhere.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:RoleSessionName": "${aws:PrincipalTag/x509Subject/CN}" }, "ArnEquals": { "aws:SourceArn": "TRUST_ANCHOR_ARN" } } } ] }
    2. Choose Next.

  5. On the Add permissions page, attach a custom policy or do the following:

    1. In the Filter policies box, enter EKSDescribeClusterPolicy, or the name of the policy you created above. Select the check box to the left of your policy name in the search results.

    2. In the Filter policies box, enter AmazonEC2ContainerRegistryPullOnly. Select the check box to the left of AmazonEC2ContainerRegistryPullOnly in the search results.

    3. Choose Next.

  6. On the Name, review, and create page, do the following:

    1. For Role name, enter a unique name for your role, such as AmazonEKSHybridNodesRole.

    2. For Description, replace the current text with descriptive text such as Amazon EKS - Hybrid Nodes role.

    3. Choose Create role.