Amazon EKS Pod execution IAM role
The Amazon EKS Pod execution role is required to run Pods on Amazon Fargate infrastructure.
When your cluster creates Pods on Amazon Fargate infrastructure, the components running on the Fargate infrastructure must make calls to Amazon APIs on your behalf. This is so that they can do actions such as pull container images from Amazon ECR or route logs to other Amazon services. The Amazon EKS Pod execution role provides the IAM permissions to do this.
When you create a Fargate profile, you must specify a Pod execution role for the Amazon EKS
components that run on the Fargate infrastructure using the profile. This role is added to the
cluster's Kubernetes Role
based access controlkubelet
that's running on the Fargate infrastructure to register with your
Amazon EKS cluster so that it can appear in your cluster as a node.
Note
The Fargate profile must have a different IAM role than Amazon EC2 node groups.
Important
The containers running in the Fargate Pod can't assume the IAM permissions associated with a Pod execution role. To give the containers in your Fargate Pod permissions to access other Amazon services, you must use IAM roles for service accounts.
Before you create a Fargate profile, you must create an IAM role with the AmazonEKSFargatePodExecutionRolePolicy
.
Check for a correctly configured existing Pod execution role
You can use the following procedure to check and see if your account already has a
correctly configured Amazon EKS Pod execution role. To avoid a
confused
deputy security problem, it's important that the role restricts access based on
SourceArn
. You can modify the execution role as needed to include
support for Fargate profiles on other clusters.
To check for an Amazon EKS Pod execution role in the IAM console
Open the IAM console at https://console.amazonaws.cn/iam/
. -
In the left navigation pane, choose Roles.
-
On the Roles page, search the list of roles for AmazonEKSFargatePodExecutionRole. If the role doesn't exist, see Creating the Amazon EKS Pod execution role to create the role. If the role does exist, choose the role.
-
On the AmazonEKSFargatePodExecutionRole page, do the following:
-
Choose Permissions.
-
Ensure that the AmazonEKSFargatePodExecutionRolePolicy Amazon managed policy is attached to the role.
-
Choose Trust relationships.
-
Choose Edit trust policy.
-
-
On the Edit trust policy page, verify that the trust relationship contains the following policy and has a line for Fargate profiles on your cluster. If so, choose Cancel.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws-cn:eks:
region-code
:111122223333
:fargateprofile/my-cluster
/*" } }, "Principal": { "Service": "eks-fargate-pods.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }If the policy matches but doesn't have a line specifying the Fargate profiles on your cluster, you can add the following line at the top of the
ArnLike
object. Replace
with the Amazon Web Services Region that your cluster is in,region-code
with your account ID, and111122223333
with the name of your cluster.my-cluster
"aws:SourceArn": "arn:aws-cn:eks:
region-code
:111122223333
:fargateprofile/my-cluster
/*",If the policy doesn't match, copy the full previous policy into the form and choose Update policy. Replace
with the Amazon Web Services Region that your cluster is in. If you want to use the same role in all Amazon Web Services Regions in your account, replaceregion-code
region-code
with*
. Replace
with your account ID and111122223333
with the name of your cluster. If you want to use the same role for all clusters in your account, replacemy-cluster
withmy-cluster
*
.
Creating the Amazon EKS Pod execution role
If you don't already have the Amazon EKS Pod execution role for your cluster, you can use the Amazon Web Services Management Console or the Amazon CLI to create it.