Amazon EKS cluster IAM role
Kubernetes clusters managed by Amazon EKS make calls to other AWS services on your behalf to manage the resources that you use with the service. Before you can create Amazon EKS clusters, you must create an IAM role with the following IAM policies:
Prior to April 16, 2020, AmazonEKSServicePolicyeksServiceRole
. With the AWSServiceRoleForAmazonEKS
service-linked role, that policy is no longer required for clusters created on or
after
April 16, 2020.
Check for an existing cluster role
You can use the following procedure to check and see if your account already has the Amazon EKS cluster role.
To check for the
eksClusterRole
in the IAM console
-
Open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation panel, choose Roles.
-
Search the list of roles for
eksClusterRole
. If a role that includeseksClusterRole
does not exist, then see Creating the Amazon EKS cluster role to create the role. If a role that includeseksClusterRole
does exist, then select the role to view the attached policies. -
Choose Permissions.
-
Ensure that the AmazonEKSClusterPolicy managed policy is attached to the role. If the policy is attached, your Amazon EKS cluster role is properly configured.
-
Choose Trust Relationships, Edit Trust Relationship.
-
Verify that the trust relationship contains the following policy. If the trust relationship matches the policy below, choose Cancel. If the trust relationship does not match, copy the policy into the Policy Document window and choose Update Trust Policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "eks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
Creating the Amazon EKS cluster role
You can use the AWS Management Console or AWS CloudFormation to create the cluster role. Select the tab with the name of the tool that you want to use to create the role.