Help improve this page
Want to contribute to this user guide? Choose the Edit this page on GitHub link that is located in the right pane of every page. Your contributions will help make our user guide better for everyone.
Retrieve IAM information about an Amazon EKS add-on
Before you create an add-on, use the Amazon CLI to determine:
-
If the add-on requires IAM permissions
-
The suggested IAM policy to use
Procedure
-
Determine the name of the add-on you want to install, and the Kubernetes version of your cluster. For more information about add-ons, see Amazon EKS add-ons.
-
Use the Amazon CLI to determine if the add-on requires IAM permissions.
aws eks describe-addon-versions \ --addon-name <addon-name> \ --kubernetes-version <kubernetes-version>
For example:
aws eks describe-addon-versions \ --addon-name aws-ebs-csi-driver \ --kubernetes-version 1.30
Review the following sample output. Note that
requiresIamPermissions
istrue
, and the default add-on version. You need to specify the add-on version when retrieving the recommended IAM policy.{ "addons": [ { "addonName": "aws-ebs-csi-driver", "type": "storage", "addonVersions": [ { "addonVersion": "v1.31.0-eksbuild.1", "architecture": [ "amd64", "arm64" ], "compatibilities": [ { "clusterVersion": "1.30", "platformVersions": [ "*" ], "defaultVersion": true } ], "requiresConfiguration": false, "requiresIamPermissions": true }, [...]
-
If the add-on requires IAM permissions, use the Amazon CLI to retrieve a recommended IAM policy.
aws eks describe-addon-configuration \ --query podIdentityConfiguration \ --addon-name <addon-name> \ --addon-version <addon-version>
For example:
aws eks describe-addon-configuration \ --query podIdentityConfiguration \ --addon-name aws-ebs-csi-driver \ --addon-version v1.31.0-eksbuild.1
Review the following output. Note the
recommendedManagedPolicies
.[ { "serviceAccount": "ebs-csi-controller-sa", "recommendedManagedPolicies": [ "arn:aws-cn:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" ] } ]
-
Create an IAM role and attach the recommended Managed Policy. Alternatively, review the managed policy and scope down the permissions as appropriate. For more information see Create a Pod Identity association (Amazon Console).
Pod Identity Support Reference
The following table indicates if certain Amazon EKS add-ons support EKS Pod Identity.
Add-on Name | Pod Identity Support | Minimum Version Required |
---|---|---|
Yes |
v1.26.0-eksbuild.1 |
|
Yes |
v1.15.5-eksbuild.1 |
|
Yes |
v2.0.5-eksbuild.1 |
|
Yes |
v0.94.1-eksbuild.1 |
|
No |
N/A |
|
Yes |
v3.1.0-eksbuild.1 |
This table was last updated on October 28, 2024.