Pod execution role - Amazon EKS

Pod execution role

The Amazon EKS pod execution role is required to run pods on AWS Fargate infrastructure.

When your cluster creates pods on AWS Fargate infrastructure, the components running on the Fargate infrastructure need to make calls to AWS APIs on your behalf to do things like pull container images from Amazon ECR or route logs to other AWS services. The Amazon EKS pod execution role provides the IAM permissions to do this.

When you create a Fargate profile, you must specify a pod execution role for the Amazon EKS components that run on the Fargate infrastructure using the profile. This role is added to the cluster's Kubernetes Role based access control (RBAC) for authorization, so that the kubelet that is running on the Fargate infrastructure can register with your Amazon EKS cluster. This is what allows Fargate infrastructure to appear in your cluster as nodes.

The containers running in the Fargate pod cannot assume the IAM permissions associated with the pod execution role. To give the containers in your Fargate pod permissions to access other AWS services, you must use IAM roles for service accounts.

Before you create a Fargate profile, you must create an IAM role with the following IAM policy:

Check for an existing pod execution role

You can use the following procedure to check and see if your account already has the Amazon EKS pod execution role.

To check for the AmazonEKSFargatePodExecutionRole in the IAM console

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation panel, choose Roles.

  3. Search the list of roles for AmazonEKSFargatePodExecutionRole. If the role does not exist, see Creating the Amazon EKS pod execution role to create the role. If the role does exist, select the role to view the attached policies.

  4. Choose Permissions.

  5. Ensure that the AmazonEKSFargatePodExecutionRolePolicy Amazon managed policy is attached to the role. If the policy is attached, then your Amazon EKS pod execution role is properly configured.

  6. Choose Trust Relationships, Edit Trust Relationship.

  7. Verify that the trust relationship contains the following policy. If the trust relationship matches the policy below, choose Cancel. If the trust relationship does not match, copy the policy into the Policy Document window and choose Update Trust Policy.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "eks-fargate-pods.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

Creating the Amazon EKS pod execution role

You can use the following procedure to create the Amazon EKS pod execution role if you do not already have one for your account.

To create an AWS Fargate pod execution role with the AWS Management Console

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. Choose Roles, then Create role.

  3. Choose EKS from the list of services, EKS - Fargate pod for your use case, and then Next: Permissions.

  4. Choose Next: Tags.

  5. (Optional) Add metadata to the role by attaching tags as key–value pairs. For more information about using tags in IAM, see Tagging IAM Entities in the IAM User Guide.

  6. Choose Next: Review.

  7. For Role name, enter a unique name for your role, such as AmazonEKSFargatePodExecutionRole, then choose Create role.