**Help improve this page**
To contribute to this user guide, choose the **Edit this page on GitHub** link that is located in the right pane of every page.
# Prepare credentials for hybrid nodes
Amazon EKS Hybrid Nodes use temporary IAM credentials provisioned by Amazon SSM hybrid activations or Amazon IAM Roles Anywhere to authenticate with the Amazon EKS cluster. You must use either Amazon SSM hybrid activations or Amazon IAM Roles Anywhere with the Amazon EKS Hybrid Nodes CLI (`nodeadm`). You should not use both Amazon SSM hybrid activations and Amazon IAM Roles Anywhere. We recommend that you use Amazon SSM hybrid activations if you do not have existing Public Key Infrastructure (PKI) with a Certificate Authority (CA) and certificates for your on-premises environments. If you do have existing PKI and certificates on-premises, use Amazon IAM Roles Anywhere.
## Hybrid Nodes IAM Role
Before you can connect hybrid nodes to your Amazon EKS cluster, you must create an IAM role that will be used with Amazon SSM hybrid activations or Amazon IAM Roles Anywhere for your hybrid nodes credentials. After cluster creation, you will use this role with an Amazon EKS access entry or `aws-auth` ConfigMap entry to map the IAM role to Kubernetes Role-Based Access Control (RBAC). For more information on associating the Hybrid Nodes IAM role with Kubernetes RBAC, see [Prepare cluster access for hybrid nodes](hybrid-nodes-cluster-prep.md).
The Hybrid Nodes IAM role must have the following permissions.
+ Permissions for `nodeadm` to use the `eks:DescribeCluster` action to gather information about the cluster to which you want to connect hybrid nodes. If you do not enable the `eks:DescribeCluster` action, then you must pass your Kubernetes API endpoint, cluster CA bundle, and service IPv4 CIDR in the node configuration you pass to the `nodeadm init` command.
+ Permissions for `nodeadm` to use the `eks:ListAccessEntries` action to list the access entries on the cluster to which you want to connect hybrid nodes. If you do not enable the `eks:ListAccessEntries` action, then you must pass the `--skip cluster-access-validation` flag when you run the `nodeadm init` command.
+ Permissions for the kubelet to use container images from Amazon Elastic Container Registry (Amazon ECR) as defined in the [AmazonEC2ContainerRegistryPullOnly](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AmazonEC2ContainerRegistryPullOnly.html) policy.
+ If using Amazon SSM, permissions for `nodeadm init` to use Amazon SSM hybrid activations as defined in the [https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html) policy.
+ If using Amazon SSM, permissions to use the `ssm:DeregisterManagedInstance` action and `ssm:DescribeInstanceInformation` action for `nodeadm uninstall` to deregister instances.
+ (Optional) Permissions for the Amazon EKS Pod Identity Agent to use the `eks-auth:AssumeRoleForPodIdentity` action to retrieve credentials for pods.
## Setup Amazon SSM hybrid activations
Before setting up Amazon SSM hybrid activations, you must have a Hybrid Nodes IAM role created and configured. For more information, see [Create the Hybrid Nodes IAM role](#hybrid-nodes-create-role). Follow the instructions at [Create a hybrid activation to register nodes with Systems Manager](https://docs.amazonaws.cn/systems-manager/latest/userguide/hybrid-activation-managed-nodes.html) in the Amazon Systems Manager User Guide to create an Amazon SSM hybrid activation for your hybrid nodes. The Activation Code and ID you receive is used with `nodeadm` when you register your hosts as hybrid nodes with your Amazon EKS cluster. You can come back to this step at a later point after you have created and prepared your Amazon EKS clusters for hybrid nodes.
**Important**
Systems Manager immediately returns the Activation Code and ID to the console or the command window, depending on how you created the activation. Copy this information and store it in a safe place. If you navigate away from the console or close the command window, you might lose this information. If you lose it, you must create a new activation.
By default, Amazon SSM hybrid activations are active for 24 hours. You can alternatively specify an `--expiration-date` when you create your hybrid activation in timestamp format, such as `2024-08-01T00:00:00`. When you use Amazon SSM as your credential provider, the node name for your hybrid nodes is not configurable, and is auto-generated by Amazon SSM. You can view and manage the Amazon SSM Managed Instances in the Amazon Systems Manager console under Fleet Manager. You can register up to 1,000 standard [hybrid-activated nodes](https://docs.amazonaws.cn/systems-manager/latest/userguide/activations.html) per account per Amazon Region at no additional cost. However, registering more than 1,000 hybrid nodes requires that you activate the advanced-instances tier. There is a charge to use the advanced-instances tier that is not included in the [Amazon EKS Hybrid Nodes pricing](https://www.amazonaws.cn/eks/pricing/). For more information, see [Amazon Systems Manager Pricing](https://www.amazonaws.cn/systems-manager/pricing/).
See the example below for how to create an Amazon SSM hybrid activation with your Hybrid Nodes IAM role. When you use Amazon SSM hybrid activations for your hybrid nodes credentials, the names of your hybrid nodes will have the format `mi-012345678abcdefgh` and the temporary credentials provisioned by Amazon SSM are valid for 1 hour. You cannot alter the node name or credential duration when using Amazon SSM as your credential provider. The temporary credentials are automatically rotated by Amazon SSM and the rotation does not impact the status of your nodes or applications.
We recommend that you use one Amazon SSM hybrid activation per EKS cluster to scope the Amazon SSM `ssm:DeregisterManagedInstance` permission of the Hybrid Nodes IAM role to only be able to deregister instances that are associated with your Amazon SSM hybrid activation. In the example on this page, a tag with the EKS cluster ARN is used, which can be used to map your Amazon SSM hybrid activation to the EKS cluster. You can alternatively use your preferred tag and method of scoping the Amazon SSM permissions based on your permission boundaries and requirements. The `REGISTRATION_LIMIT` option in the command below is an integer used to limit the number of machines that can use the Amazon SSM hybrid activation (for example `10`)
```
aws ssm create-activation \
--region AWS_REGION \
--default-instance-name eks-hybrid-nodes \
--description "Activation for EKS hybrid nodes" \
--iam-role AmazonEKSHybridNodesRole \
--tags Key=EKSClusterARN,Value=arn:aws-cn:eks:AWS_REGION:AWS_ACCOUNT_ID:cluster/CLUSTER_NAME \
--registration-limit REGISTRATION_LIMIT
```
Review the instructions on [Create a hybrid activation to register nodes with Systems Manager](https://docs.amazonaws.cn/systems-manager/latest/userguide/hybrid-activation-managed-nodes.html) for more information about the available configuration settings for Amazon SSM hybrid activations.
## Setup Amazon IAM Roles Anywhere
Follow the instructions at [Getting started with IAM Roles Anywhere](https://docs.amazonaws.cn/rolesanywhere/latest/userguide/getting-started.html) in the IAM Roles Anywhere User Guide to set up the trust anchor and profile you will use for temporary IAM credentials for your Hybrid Nodes IAM role. When you create your profile, you can create it without adding any roles. You can create this profile, return to these steps to create your Hybrid Nodes IAM role, and then add your role to your profile after it is created. You can alternatively use the Amazon CloudFormation steps later on this page to complete your IAM Roles Anywhere setup for hybrid nodes.
When you add the Hybrid Nodes IAM role to your profile, select **Accept custom role session name** in the **Custom role** session name panel at the bottom of the **Edit profile** page in the Amazon IAM Roles Anywhere console. This corresponds to the [acceptRoleSessionName](https://docs.amazonaws.cn/rolesanywhere/latest/APIReference/API_CreateProfile.html#rolesanywhere-CreateProfile-request-acceptRoleSessionName) field of the `CreateProfile` API. This allows you to supply a custom node name for your hybrid nodes in the configuration you pass to `nodeadm` during the bootstrap process. Passing a custom node name during the `nodeadm init` process is required. You can update your profile to accept a custom role session name after creating your profile.
You can configure the credential validity duration with Amazon IAM Roles Anywhere through the [durationSeconds](https://docs.amazonaws.cn/rolesanywhere/latest/userguide/authentication-create-session#credentials-object) field of your Amazon IAM Roles Anywhere profile. The default duration is 1 hour with a maximum of 12 hours. The `MaxSessionDuration` setting on your Hybrid Nodes IAM role must be greater than the `durationSeconds` setting on your Amazon IAM Roles Anywhere profile. For more information on `MaxSessionDuration`, see [UpdateRole API documentation](https://docs.amazonaws.cn/systems-manager/latest/APIReference/API_UpdateRole.html).
The per-machine certificates and keys you generate from your certificate authority (CA) must be placed in the `/etc/iam/pki` directory on each hybrid node with the file names `server.pem` for the certificate and `server.key` for the key.
## Create the Hybrid Nodes IAM role
To run the steps in this section, the IAM principal using the Amazon console or Amazon CLI must have the following permissions.
+ `iam:CreatePolicy`
+ `iam:CreateRole`
+ `iam:AttachRolePolicy`
+ If using Amazon IAM Roles Anywhere
+ `rolesanywhere:CreateTrustAnchor`
+ `rolesanywhere:CreateProfile`
+ `iam:PassRole`
### Amazon CloudFormation
Install and configure the Amazon CLI, if you haven’t already. See [Installing or updating to the last version of the Amazon CLI](https://docs.amazonaws.cn/cli/latest/userguide/getting-started-install.html).
**Steps for Amazon SSM hybrid activations**
The CloudFormation stack creates the Hybrid Nodes IAM Role with the permissions outlined above. The CloudFormation template does not create the Amazon SSM hybrid activation.
1. Download the Amazon SSM CloudFormation template for hybrid nodes:
```
curl -OL 'https://raw.githubusercontent.com/aws/eks-hybrid/refs/heads/main/example/hybrid-ssm-cfn.yaml'
```
1. Create a `cfn-ssm-parameters.json` with the following options:
1. Replace `ROLE_NAME` with the name for your Hybrid Nodes IAM role. By default, the CloudFormation template uses `AmazonEKSHybridNodesRole` as the name of the role it creates if you do not specify a name.
1. Replace `TAG_KEY` with the Amazon SSM resource tag key you used when creating your Amazon SSM hybrid activation. The combination of the tag key and tag value is used in the condition for the `ssm:DeregisterManagedInstance` to only allow the Hybrid Nodes IAM role to deregister the Amazon SSM managed instances that are associated with your Amazon SSM hybrid activation. In the CloudFormation template, `TAG_KEY` defaults to `EKSClusterARN`.
1. Replace `TAG_VALUE` with the Amazon SSM resource tag value you used when creating your Amazon SSM hybrid activation. The combination of the tag key and tag value is used in the condition for the `ssm:DeregisterManagedInstance` to only allow the Hybrid Nodes IAM role to deregister the Amazon SSM managed instances that are associated with your Amazon SSM hybrid activation. If you are using the default `TAG_KEY` of `EKSClusterARN`, then pass your EKS cluster ARN as the `TAG_VALUE`. EKS cluster ARNs have the format ` arn:aws-cn:eks:AWS_REGION:AWS_ACCOUNT_ID:cluster/CLUSTER_NAME`.
```
{
"Parameters": {
"RoleName": "ROLE_NAME",
"SSMDeregisterConditionTagKey": "TAG_KEY",
"SSMDeregisterConditionTagValue": "TAG_VALUE"
}
}
```
1. Deploy the CloudFormation stack. Replace `STACK_NAME` with your name for the CloudFormation stack.
```
aws cloudformation deploy \
--stack-name STACK_NAME \
--template-file hybrid-ssm-cfn.yaml \
--parameter-overrides file://cfn-ssm-parameters.json \
--capabilities CAPABILITY_NAMED_IAM
```
**Steps for Amazon IAM Roles Anywhere**
The CloudFormation stack creates the Amazon IAM Roles Anywhere trust anchor with the certificate authority (CA) you configure, creates the Amazon IAM Roles Anywhere profile, and creates the Hybrid Nodes IAM role with the permissions outlined previously.
1. To set up a certificate authority (CA)
1. To use an Amazon Private CA resource, open the [Amazon Private Certificate Authority console](https://console.amazonaws.cn/acm-pca/home). Follow the instructions in the [Amazon Private CA User Guide](https://docs.amazonaws.cn/privateca/latest/userguide/PcaWelcome.html).
1. To use an external CA, follow the instructions provided by the CA. You provide the certificate body in a later step.
1. Certificates issued from public CAs cannot be used as trust anchors.
1. Download the Amazon IAM Roles Anywhere CloudFormation template for hybrid nodes
```
curl -OL 'https://raw.githubusercontent.com/aws/eks-hybrid/refs/heads/main/example/hybrid-ira-cfn.yaml'
```
1. Create a `cfn-iamra-parameters.json` with the following options:
1. Replace `ROLE_NAME` with the name for your Hybrid Nodes IAM role. By default, the CloudFormation template uses `AmazonEKSHybridNodesRole` as the name of the role it creates if you do not specify a name.
1. Replace `CERT_ATTRIBUTE` with the per-machine certificate attribute that uniquely identifies your host. The certificate attribute you use must match the nodeName you use for the `nodeadm` configuration when you connect hybrid nodes to your cluster. For more information, see the [Hybrid nodes `nodeadm` reference](hybrid-nodes-nodeadm.md). By default, the CloudFormation template uses `${aws:PrincipalTag/x509Subject/CN}` as the `CERT_ATTRIBUTE`, which corresponds to the CN field of your per-machine certificates. You can alternatively pass `$(aws:PrincipalTag/x509SAN/Name/CN}` as your `CERT_ATTRIBUTE`.
1. Replace `CA_CERT_BODY` with the certificate body of your CA without line breaks. The `CA_CERT_BODY` must be in Privacy Enhanced Mail (PEM) format. If you have a CA certificate in PEM format, remove the line breaks and BEGIN CERTIFICATE and END CERTIFICATE lines before placing the CA certificate body in your `cfn-iamra-parameters.json` file.
```
{
"Parameters": {
"RoleName": "ROLE_NAME",
"CertAttributeTrustPolicy": "CERT_ATTRIBUTE",
"CABundleCert": "CA_CERT_BODY"
}
}
```
1. Deploy the CloudFormation template. Replace `STACK_NAME` with your name for the CloudFormation stack.
```
aws cloudformation deploy \
--stack-name STACK_NAME \
--template-file hybrid-ira-cfn.yaml \
--parameter-overrides file://cfn-iamra-parameters.json
--capabilities CAPABILITY_NAMED_IAM
```
### Amazon CLI
Install and configure the Amazon CLI, if you haven’t already. See [Installing or updating to the last version of the Amazon CLI](https://docs.amazonaws.cn/cli/latest/userguide/getting-started-install.html).
**Create EKS Describe Cluster Policy**
1. Create a file named `eks-describe-cluster-policy.json` with the following contents:
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:DescribeCluster"
],
"Resource": "*"
}
]
}
```
1. Create the policy with the following command:
```
aws iam create-policy \
--policy-name EKSDescribeClusterPolicy \
--policy-document file://eks-describe-cluster-policy.json
```
**Steps for Amazon SSM hybrid activations**
1. Create a file named `eks-hybrid-ssm-policy.json` with the following contents. The policy grants permission for two actions `ssm:DescribeInstanceInformation` and `ssm:DeregisterManagedInstance`. The policy restricts the `ssm:DeregisterManagedInstance` permission to Amazon SSM managed instances associated with your Amazon SSM hybrid activation based on the resource tag you specify in your trust policy.
1. Replace `AWS_REGION` with the Amazon Region for your Amazon SSM hybrid activation.
1. Replace `AWS_ACCOUNT_ID` with your Amazon account ID.
1. Replace `TAG_KEY` with the Amazon SSM resource tag key you used when creating your Amazon SSM hybrid activation. The combination of the tag key and tag value is used in the condition for the `ssm:DeregisterManagedInstance` to only allow the Hybrid Nodes IAM role to deregister the Amazon SSM managed instances that are associated with your Amazon SSM hybrid activation. In the CloudFormation template, `TAG_KEY` defaults to `EKSClusterARN`.
1. Replace `TAG_VALUE` with the Amazon SSM resource tag value you used when creating your Amazon SSM hybrid activation. The combination of the tag key and tag value is used in the condition for the `ssm:DeregisterManagedInstance` to only allow the Hybrid Nodes IAM role to deregister the Amazon SSM managed instances that are associated with your Amazon SSM hybrid activation. If you are using the default `TAG_KEY` of `EKSClusterARN`, then pass your EKS cluster ARN as the `TAG_VALUE`. EKS cluster ARNs have the format ` arn:aws-cn:eks:AWS_REGION:AWS_ACCOUNT_ID:cluster/CLUSTER_NAME`.
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ssm:DescribeInstanceInformation",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ssm:DeregisterManagedInstance",
"Resource": "arn:aws:ssm:us-east-1:123456789012:managed-instance/*",
"Condition": {
"StringEquals": {
"ssm:resourceTag/TAG_KEY": "TAG_VALUE"
}
}
}
]
}
```
1. Create the policy with the following command
```
aws iam create-policy \
--policy-name EKSHybridSSMPolicy \
--policy-document file://eks-hybrid-ssm-policy.json
```
1. Create a file named `eks-hybrid-ssm-trust.json`. Replace `AWS_REGION` with the Amazon Region of your Amazon SSM hybrid activation and `AWS_ACCOUNT_ID` with your Amazon account ID.
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"",
"Effect":"Allow",
"Principal":{
"Service":"ssm.amazonaws.com"
},
"Action":"sts:AssumeRole",
"Condition":{
"StringEquals":{
"aws:SourceAccount":"123456789012"
},
"ArnEquals":{
"aws:SourceArn":"arn:aws:ssm:us-east-1:123456789012:*"
}
}
}
]
}
```
1. Create the role with the following command.
```
aws iam create-role \
--role-name AmazonEKSHybridNodesRole \
--assume-role-policy-document file://eks-hybrid-ssm-trust.json
```
1. Attach the `EKSDescribeClusterPolicy` and the `EKSHybridSSMPolicy` you created in the previous steps. Replace `AWS_ACCOUNT_ID` with your Amazon account ID.
```
aws iam attach-role-policy \
--role-name AmazonEKSHybridNodesRole \
--policy-arn arn:aws-cn:iam::AWS_ACCOUNT_ID:policy/EKSDescribeClusterPolicy
```
```
aws iam attach-role-policy \
--role-name AmazonEKSHybridNodesRole \
--policy-arn arn:aws-cn:iam::AWS_ACCOUNT_ID:policy/EKSHybridSSMPolicy
```
1. Attach the `AmazonEC2ContainerRegistryPullOnly` and `AmazonSSMManagedInstanceCore` Amazon managed policies.
```
aws iam attach-role-policy \
--role-name AmazonEKSHybridNodesRole \
--policy-arn arn:aws-cn:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly
```
```
aws iam attach-role-policy \
--role-name AmazonEKSHybridNodesRole \
--policy-arn arn:aws-cn:iam::aws:policy/AmazonSSMManagedInstanceCore
```
**Steps for Amazon IAM Roles Anywhere**
To use Amazon IAM Roles Anywhere, you must set up your Amazon IAM Roles Anywhere trust anchor before creating the Hybrid Nodes IAM Role. See [Setup Amazon IAM Roles Anywhere](#hybrid-nodes-iam-roles-anywhere) for instructions.
1. Create a file named `eks-hybrid-iamra-trust.json`. Replace `TRUST_ANCHOR ARN` with the ARN of the trust anchor you created in the [Setup Amazon IAM Roles Anywhere](#hybrid-nodes-iam-roles-anywhere) steps. The condition in this trust policy restricts the ability of Amazon IAM Roles Anywhere to assume the Hybrid Nodes IAM role to exchange temporary IAM credentials only when the role session name matches the CN in the x509 certificate installed on your hybrid nodes. You can alternatively use other certificate attributes to uniquely identify your node. The certificate attribute that you use in the trust policy must correspond to the `nodeName` you set in your `nodeadm` configuration. For more information, see the [Hybrid nodes `nodeadm` reference](hybrid-nodes-nodeadm.md).
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "rolesanywhere.amazonaws.com"
},
"Action": [
"sts:TagSession",
"sts:SetSourceIdentity"
],
"Condition": {
"StringEquals": {
"aws:PrincipalTag/x509Subject/CN": "${aws:PrincipalTag/x509Subject/CN}"
},
"ArnEquals": {
"aws:SourceArn": "arn:aws:rolesanywhere:us-east-1:123456789012:trust-anchor/TA_ID"
}
}
},
{
"Effect": "Allow",
"Principal": {
"Service": "rolesanywhere.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:RoleSessionName": "${aws:PrincipalTag/x509Subject/CN}",
"aws:PrincipalTag/x509Subject/CN": "${aws:PrincipalTag/x509Subject/CN}"
},
"ArnEquals": {
"aws:SourceArn": "arn:aws:rolesanywhere:us-east-1:123456789012:trust-anchor/TA_ID"
}
}
}
]
}
```
1. Create the role with the following command.
```
aws iam create-role \
--role-name AmazonEKSHybridNodesRole \
--assume-role-policy-document file://eks-hybrid-iamra-trust.json
```
1. Attach the `EKSDescribeClusterPolicy` you created in the previous steps. Replace `AWS_ACCOUNT_ID` with your Amazon account ID.
```
aws iam attach-role-policy \
--role-name AmazonEKSHybridNodesRole \
--policy-arn arn:aws-cn:iam::AWS_ACCOUNT_ID:policy/EKSDescribeClusterPolicy
```
1. Attach the `AmazonEC2ContainerRegistryPullOnly` Amazon managed policy
```
aws iam attach-role-policy \
--role-name AmazonEKSHybridNodesRole \
--policy-arn arn:aws-cn:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly
```
### Amazon Web Services Management Console
**Create EKS Describe Cluster Policy**
1. Open the [Amazon IAM console](https://console.amazonaws.cn/iam/home)
1. In the left navigation pane, choose **Policies**.
1. On the **Policies** page, choose **Create policy**.
1. On the Specify permissions page, in the Select a service panel, choose EKS.
1. Filter actions for **DescribeCluster** and select the **DescribeCluster** Read action.
1. Choose **Next**.
1. On the **Review and create** page
1. Enter a **Policy name** for your policy such as `EKSDescribeClusterPolicy`.
1. Choose **Create policy**.
**Steps for Amazon SSM hybrid activations**
1. Open the [Amazon IAM console](https://console.amazonaws.cn/iam/home)
1. In the left navigation pane, choose **Policies**.
1. On the **Policies page**, choose **Create policy**.
1. On the **Specify permissions** page, in the **Policy editor** top right navigation, choose **JSON**. Paste the following snippet. Replace `AWS_REGION` with the Amazon Region of your Amazon SSM hybrid activation and replace `AWS_ACCOUNT_ID` with your Amazon account ID. Replace `TAG_KEY` and `TAG_VALUE` with the Amazon SSM resource tag key you used when creating your Amazon SSM hybrid activation.
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ssm:DescribeInstanceInformation",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ssm:DeregisterManagedInstance",
"Resource": "arn:aws:ssm:us-east-1:123456789012:managed-instance/*",
"Condition": {
"StringEquals": {
"ssm:resourceTag/TAG_KEY": "TAG_VALUE"
}
}
}
]
}
```
1. Choose **Next**.
1. On the **Review and Create** page.
1. Enter a **Policy** name for your policy such as `EKSHybridSSMPolicy`
1. Choose **Create Policy**.
1. In the left navigation pane, choose **Roles**.
1. On the **Roles** page, choose **Create role**.
1. On the **Select trusted entity** page, do the following:
1. In the **Trusted entity** type section, choose **Custom trust policy**. Paste the following into the Custom trust policy editor. Replace `AWS_REGION` with the Amazon Region of your Amazon SSM hybrid activation and `AWS_ACCOUNT_ID` with your Amazon account ID.
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"",
"Effect":"Allow",
"Principal":{
"Service":"ssm.amazonaws.com"
},
"Action":"sts:AssumeRole",
"Condition":{
"StringEquals":{
"aws:SourceAccount":"123456789012"
},
"ArnEquals":{
"aws:SourceArn":"arn:aws:ssm:us-east-1:123456789012:*"
}
}
}
]
}
```
1. Choose Next.
1. On the **Add permissions** page, attach a custom policy or do the following:
1. In the **Filter policies** box, enter `EKSDescribeClusterPolicy`, or the name of the policy you created above. Select the check box to the left of your policy name in the search results.
1. In the **Filter policies** box, enter `EKSHybridSSMPolicy`, or the name of the policy you created above. Select the check box to the left of your policy name in the search results.
1. In the **Filter policies** box, enter `AmazonEC2ContainerRegistryPullOnly`. Select the check box to the left of `AmazonEC2ContainerRegistryPullOnly` in the search results.
1. In the **Filter policies** box, enter `AmazonSSMManagedInstanceCore`. Select the check box to the left of `AmazonSSMManagedInstanceCore` in the search results.
1. Choose **Next**.
1. On the **Name, review, and create** page, do the following:
1. For **Role name**, enter a unique name for your role, such as `AmazonEKSHybridNodesRole`.
1. For **Description**, replace the current text with descriptive text such as `Amazon EKS - Hybrid Nodes role`.
1. Choose **Create role**.
**Steps for Amazon IAM Roles Anywhere**
To use Amazon IAM Roles Anywhere, you must set up your Amazon IAM Roles Anywhere trust anchor before creating the Hybrid Nodes IAM Role. See [Setup Amazon IAM Roles Anywhere](#hybrid-nodes-iam-roles-anywhere) for instructions.
1. Open the [Amazon IAM console](https://console.amazonaws.cn/iam/home)
1. In the left navigation pane, choose **Roles**.
1. On the **Roles** page, choose **Create role**.
1. On the **Select trusted entity** page, do the following:
1. In the **Trusted entity type section**, choose **Custom trust policy**. Paste the following into the Custom trust policy editor. Replace `TRUST_ANCHOR ARN` with the ARN of the trust anchor you created in the [Setup Amazon IAM Roles Anywhere](#hybrid-nodes-iam-roles-anywhere) steps. The condition in this trust policy restricts the ability of Amazon IAM Roles Anywhere to assume the Hybrid Nodes IAM role to exchange temporary IAM credentials only when the role session name matches the CN in the x509 certificate installed on your hybrid nodes. You can alternatively use other certificate attributes to uniquely identify your node. The certificate attribute that you use in the trust policy must correspond to the nodeName you set in your nodeadm configuration. For more information, see the [Hybrid nodes `nodeadm` reference](hybrid-nodes-nodeadm.md).
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "rolesanywhere.amazonaws.com"
},
"Action": [
"sts:TagSession",
"sts:SetSourceIdentity"
],
"Condition": {
"StringEquals": {
"aws:PrincipalTag/x509Subject/CN": "${aws:PrincipalTag/x509Subject/CN}"
},
"ArnEquals": {
"aws:SourceArn": "arn:aws:rolesanywhere:us-east-1:123456789012:trust-anchor/TA_ID"
}
}
},
{
"Effect": "Allow",
"Principal": {
"Service": "rolesanywhere.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:RoleSessionName": "${aws:PrincipalTag/x509Subject/CN}",
"aws:PrincipalTag/x509Subject/CN": "${aws:PrincipalTag/x509Subject/CN}"
},
"ArnEquals": {
"aws:SourceArn": "arn:aws:rolesanywhere:us-east-1:123456789012:trust-anchor/TA_ID"
}
}
}
]
}
```
1. Choose Next.
1. On the **Add permissions** page, attach a custom policy or do the following:
1. In the **Filter policies** box, enter `EKSDescribeClusterPolicy`, or the name of the policy you created above. Select the check box to the left of your policy name in the search results.
1. In the **Filter policies** box, enter `AmazonEC2ContainerRegistryPullOnly`. Select the check box to the left of `AmazonEC2ContainerRegistryPullOnly` in the search results.
1. Choose **Next**.
1. On the **Name, review, and create** page, do the following:
1. For **Role name**, enter a unique name for your role, such as `AmazonEKSHybridNodesRole`.
1. For **Description**, replace the current text with descriptive text such as `Amazon EKS - Hybrid Nodes role`.
1. Choose **Create role**.