Amazon EKS node IAM role
The Amazon EKS node kubelet
daemon makes calls to AWS APIs on your behalf.
Nodes receive permissions for these API calls through an IAM instance profile and
associated policies. Before you can launch nodes and register them into a cluster,
you must
create an IAM role for those nodes to use when they are launched. This requirement
applies to nodes launched with the Amazon EKS optimized AMI provided by Amazon, or
with any
other node AMIs that you intend to use. Before you create nodes, you must create an
IAM
role with the following IAM policies:
Check for an existing node role
You can use the following procedure to check and see if your account already has the Amazon EKS node role.
To check for the
eksNodeRole
in the IAM console
-
Open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation panel, choose Roles.
-
Search the list of roles for
eksNodeRole
. If a role that containseksNodeRole
orNodeInstanceRole
does not exist, then see Creating the Amazon EKS node IAM role to create the role. If a role that containseksNodeRole
orNodeInstanceRole
does exist, then select the role to view the attached policies. -
Choose Permissions.
-
Ensure that the AmazonEKSWorkerNodePolicy and AmazonEC2ContainerRegistryReadOnly managed policies are attached to the role. If the policies are attached, your Amazon EKS node role is properly configured.
Note If the AmazonEKS_CNI_Policy policy is attached to the role, we recommend removing it and attaching it to an IAM role that is mapped to the
aws-node
Kubernetes service account instead. For more information, see Configuring the VPC CNI plugin to use IAM roles for service accounts. -
Choose Trust Relationships, Edit Trust Relationship.
-
Verify that the trust relationship contains the following policy. If the trust relationship matches the policy below, choose Cancel. If the trust relationship does not match, copy the policy into the Policy Document window and choose Update Trust Policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
Creating the Amazon EKS node IAM role
You can create the node IAM role with the AWS Management Console or AWS CloudFormation. Select the tab with the name of the tool that you want to create the role with.