Retrieve IAM information about an Amazon EKS add-on - Amazon EKS

Help improve this page

Want to contribute to this user guide? Choose the Edit this page on GitHub link that is located in the right pane of every page. Your contributions will help make our user guide better for everyone.

Retrieve IAM information about an Amazon EKS add-on

Before you create an add-on, use the AWS CLI to determine:

  • If the add-on requires IAM permissions

  • The suggested IAM policy to use

Procedure

  1. Determine the name of the add-on you want to install, and the Kubernetes version of your cluster. For more information about add-ons, see Amazon EKS add-ons.

  2. Use the AWS CLI to determine if the add-on requires IAM permissions.

    aws eks describe-addon-versions \ --addon-name <addon-name> \ --kubernetes-version <kubernetes-version>

    For example:

    aws eks describe-addon-versions \ --addon-name aws-ebs-csi-driver \ --kubernetes-version 1.30

    Review the following sample output. Note that requiresIamPermissions is true, and the default add-on version. You need to specify the add-on version when retrieving the recommended IAM policy.

    { "addons": [ { "addonName": "aws-ebs-csi-driver", "type": "storage", "addonVersions": [ { "addonVersion": "v1.31.0-eksbuild.1", "architecture": [ "amd64", "arm64" ], "compatibilities": [ { "clusterVersion": "1.30", "platformVersions": [ "*" ], "defaultVersion": true } ], "requiresConfiguration": false, "requiresIamPermissions": true }, [...]
  3. If the add-on requires IAM permissions, use the AWS CLI to retrieve a recommended IAM policy.

    aws eks describe-addon-configuration \ --query podIdentityConfiguration \ --addon-name <addon-name> \ --addon-version <addon-version>

    For example:

    aws eks describe-addon-configuration \ --query podIdentityConfiguration \ --addon-name aws-ebs-csi-driver \ --addon-version v1.31.0-eksbuild.1

    Review the following output. Note the recommendedManagedPolicies.

    [ { "serviceAccount": "ebs-csi-controller-sa", "recommendedManagedPolicies": [ "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" ] } ]
  4. Create an IAM role and attach the recommended Managed Policy. Alternatively, review the managed policy and scope down the permissions as appropriate. For more information see Create a Pod Identity association (AWS Console).

Pod Identity Support Reference

The following table indicates if certain Amazon EKS add-ons support EKS Pod Identity.

Add-on Name Pod Identity Support Minimum Version Required

Amazon EBS CSI Driver

Yes

v1.26.0-eksbuild.1

Amazon VPC CNI

Yes

v1.15.5-eksbuild.1

Amazon EFS CSI Driver

Yes

v2.0.5-eksbuild.1

AWS Distro for OpenTelemetry

Yes

v0.94.1-eksbuild.1

Mountpoint for Amazon S3 CSI Driver

No

N/A

Amazon CloudWatch Observability agent

No

N/A

This table was last updated on October 28, 2024.