Check for an existing node role Creating the Amazon EKS node IAM role

Amazon EKS node IAM role

The Amazon EKS node kubelet daemon makes calls to AWS APIs on your behalf. Nodes receive permissions for these API calls through an IAM instance profile and associated policies. Before you can launch nodes and register them into a cluster, you must create an IAM role for those nodes to use when they are launched. This requirement applies to nodes launched with the Amazon EKS optimized AMI provided by Amazon, or with any other node AMIs that you intend to use.

Note

You can't use the same role that is used to create any clusters.

Before you create nodes, you must create an IAM role with the following IAM policies:

AmazonEKSWorkerNodePolicy
AmazonEC2ContainerRegistryReadOnly
Either the AmazonEKS_CNI_Policy managed policy (if you created your cluster with the IPv4 family) or an IPv6 policy that you create (if you created your cluster with the IPv6 family). Rather than attaching the policy to this role however, we recommend that you attach the policy to a separate role used specifically for the Amazon VPC CNI add-on. For more information about creating a separate role for the Amazon VPC CNI add-on, see Configuring the Amazon VPC CNI plugin for Kubernetes to use IAM roles for service accounts.

Note

The Amazon EC2 node groups must have a different IAM role than the Fargate profile. For more information, see Amazon EKS pod execution IAM role.

Check for an existing node role

You can use the following procedure to check and see if your account already has the Amazon EKS node role.

To check for the eksNodeRole in the IAM console

Open the IAM console at https://console.aws.amazon.com/iam/.
In the left navigation pane, choose Roles.
Search the list of roles for eksNodeRole, AmazonEKSNodeRole, or NodeInstanceRole. If a role with one of those names doesn't exist, then see Creating the Amazon EKS node IAM role to create the role. If a role that contains eksNodeRole, AmazonEKSNodeRole, or NodeInstanceRole does exist, then select the role to view the attached policies.
Choose Permissions.
Ensure that the AmazonEKSWorkerNodePolicy and AmazonEC2ContainerRegistryReadOnly managed policies are attached to the role. If the policies are attached, your Amazon EKS node role is properly configured.

Note
If the AmazonEKS_CNI_Policy policy is attached to the role, we recommend removing it and attaching it to an IAM role that is mapped to the aws-node Kubernetes service account instead. For more information, see Configuring the Amazon VPC CNI plugin for Kubernetes to use IAM roles for service accounts.
Choose Trust relationships, and then choose Edit trust policy.
Verify that the trust relationship contains the following policy. If the trust relationship matches the following policy, choose Cancel. If the trust relationship doesn't match, copy the policy into the Edit trust policy window and choose Update policy.
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
```

Creating the Amazon EKS node IAM role

You can create the node IAM role with the AWS Management Console or the AWS CLI. Select the tab with the name of the tool that you want to create the role with.

AWS Management Console

To create your Amazon EKS node role in the IAM console

Open the IAM console at https://console.aws.amazon.com/iam/.
In the left navigation pane, choose Roles.
On the Roles page, choose Create role.
On the Select trusted entity page, do the following:
1. In the Trusted entity type section, choose AWS service.
2. Under Use case, choose EC2.
3. Choose Next.
On the Add permissions page, do the following:
1. In the Filter policies box, enter AmazonEKSWorkerNodePolicy.
2. Select the check box to the left of AmazonEKSWorkerNodePolicy in the search results.
3. Choose Clear filters.
4. In the Filter policies box, enter AmazonEC2ContainerRegistryReadOnly.
5. Select the check box to the left of AmazonEC2ContainerRegistryReadOnly in the search results.
  
  Either the AmazonEKS_CNI_Policy managed policy, or an IPv6 policy that you create must also be attached to either this role or to a different role that's mapped to the aws-node Kubernetes service account. We recommend assigning the policy to the role associated to the Kubernetes service account instead of assigning it to this role. For more information, see Configuring the Amazon VPC CNI plugin for Kubernetes to use IAM roles for service accounts.
6. Choose Next.
On the Name, review, and create page, do the following:
1. For Role name, enter a unique name for your role, such as AmazonEKSNodeRole.
2. For Description, replace the current text with descriptive text such as Amazon EKS - Node role.
3. Under Add tags (Optional), add metadata to the role by attaching tags as key–value pairs. For more information about using tags in IAM, see Tagging IAM Entities in the IAM User Guide
4. Choose Create role.

AWS CLI

Run the following command to create the node-role-trust-relationship.json file.


cat >node-role-trust-relationship.json <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF

Create the IAM role.


aws iam create-role \
  --role-name AmazonEKSNodeRole \
  --assume-role-policy-document file://"node-role-trust-relationship.json"

Attach two required IAM managed policies to the IAM role.


aws iam attach-role-policy \
  --policy-arn arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy \
  --role-name AmazonEKSNodeRole
aws iam attach-role-policy \
  --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly \
  --role-name AmazonEKSNodeRole

Attach one of the following IAM policies to the IAM role depending on which IP family you created your cluster with. The policy must be attached to this role or to a role associated to the Kubernetes aws-node service account that's used for the Amazon VPC CNI plugin for Kubernetes. We recommend assigning the policy to the role associated to the Kubernetes service account. To assign the policy to the role associated to the Kubernetes service account, see Configuring the Amazon VPC CNI plugin for Kubernetes to use IAM roles for service accounts.

IPv4


aws iam attach-role-policy \
  --policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy \
  --role-name AmazonEKSNodeRole

IPv6

Copy the following text and save it to a file named vpc-cni-ipv6-policy.json.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AssignIpv6Addresses",
                "ec2:DescribeInstances",
                "ec2:DescribeTags",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeInstanceTypes"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:network-interface/*"
            ]
        }
    ]
}

Create the IAM policy.


aws iam create-policy --policy-name AmazonEKS_CNI_IPv6_Policy --policy-document file://vpc-cni-ipv6-policy.json

Attach the IAM policy to the IAM role. Replace 111122223333 with your account ID.


aws iam attach-role-policy \
  --policy-arn arn:aws:iam::111122223333:policy/AmazonEKS_CNI_IPv6_Policy \
  --role-name AmazonEKSNodeRole

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Cluster IAM role

Pod execution IAM role