Summary Prerequisites and limitations Architecture Tools Epics Related resources Attachments

Deploy an Amazon EKS cluster from AWS Cloud9 using an EC2 instance profile

Created by Sagar Panigrahi (AWS)

Summary

Notice: AWS Cloud9 is no longer available to new customers. Existing customers of AWS Cloud9 can continue to use the service as normal. Learn more

This pattern describes how to use AWS Cloud9 and AWS CloudFormation to create an Amazon Elastic Kubernetes Service (Amazon EKS) cluster that can be operated without enabling programmatic access for users in your Amazon Web Services (AWS) account.

AWS Cloud9 is a cloud-based integrated development environment (IDE) that helps you write, run, and debug your code by using a browser. AWS Cloud9 is used as a control center that provisions an Amazon EKS cluster by using Amazon Elastic Compute Cloud (Amazon EC2) instance profiles and AWS CloudFormation templates.

You can use this pattern if you don’t want to create AWS Identity and Access Management (IAM) users and want to use IAM roles instead. Role-based access control (RBAC) regulates access to resources based on the roles of individual users. This pattern demonstrates how to update RBAC within an Amazon EKS cluster to allow access to a specific IAM role.

The pattern’s setup also helps your DevOps team use AWS Cloud9 features to maintain and develop infrastructure as code (IaC) resources for creating Amazon EKS infrastructure.

Prerequisites and limitations

Prerequisites

An active AWS account.
Permissions to create IAM roles and policies for the account. The IAM role for the user must include the AWSCloud9Administrator policy. The AWSServiceRoleForAmazonEKS and eksNodeRoles roles must also be created because they are required to create an Amazon EKS cluster.
Knowledge of Kubernetes concepts.

Limitations

This pattern describes how to create a basic Amazon EKS cluster. For production clusters, you must update the AWS CloudFormation template.
The pattern doesn’t deploy additional Kubernetes components (for example, Fluentd, ingress controllers, or storage controllers).

Architecture

Technology stack

AWS Cloud9
AWS CloudFormation
Amazon EKS
IAM

Automation and scale

You can expand this pattern and incorporate it into continuous integration and continuous deployment (CI/CD) pipelines to automate the complete provisioning of Amazon EKS.

Tools

AWS CloudFormation – AWS CloudFormation helps you model and set up your AWS resources so that you can spend less time managing those resources and more time focusing on your applications.
AWS Cloud9 – AWS Cloud9 offers a rich code-editing experience with support for several programming languages and runtime debuggers, and a built-in terminal.
AWS CLI – AWS Command Line Interface (AWS CLI) is an open-source tool that enables you to interact with AWS services using commands in your command-line shell.
Kubectl – kubectl is a command line utility that you can use to interact with an Amazon EKS cluster.

Epics

Task Description Skills required

Task	Description	Skills required
Create the IAM policy.	Sign in to the AWS Management Console, open the IAM console, choose Policies, and then choose Create policy. Choose the JSON tab and paste the contents from the policy-role-eks-instance-profile-for-cloud9.json file (attached). Resolve any security warnings, errors, or general warnings generated during the policy validation, and then choose Review policy. Enter a Name for the policy. We recommend that you use `eks-instance-profile-for-cloud9` for the policy name. Review the policy Summary to see the permissions that are granted by your policy. Then choose Create policy.	Cloud administrator
Create an IAM role using the policy.	On the IAM console, choose Roles and then choose Create role. Choose AWS Service and then choose EC2 from the list. Choose Next: Permissions and search for the IAM policy that you created earlier. Choose the appropriate tags for your requirements. In the Review section, enter a name for the role. We recommend that you use `role-eks-instance-profile-for-cloud9` for the role name. Then choose Create role.	Cloud administrator

Create the IAM policy.

Sign in to the AWS Management Console, open the IAM console, choose Policies, and then choose Create policy. Choose the JSON tab and paste the contents from the policy-role-eks-instance-profile-for-cloud9.json file (attached).

Resolve any security warnings, errors, or general warnings generated during the policy validation, and then choose Review policy. Enter a Name for the policy. We recommend that you use eks-instance-profile-for-cloud9 for the policy name.

Review the policy Summary to see the permissions that are granted by your policy. Then choose Create policy.

Cloud administrator

Create an IAM role using the policy.

On the IAM console, choose Roles and then choose Create role. Choose AWS Service and then choose EC2 from the list.

Choose Next: Permissions and search for the IAM policy that you created earlier. Choose the appropriate tags for your requirements.

In the Review section, enter a name for the role. We recommend that you use role-eks-instance-profile-for-cloud9 for the role name. Then choose Create role.

Cloud administrator

Task Description Skills required

Task	Description	Skills required
Create the IAM policy.	On the IAM console, choose Policies and then choose Create policy. Choose the JSON tab and paste the contents from the policy-for-eks-rbac.json file (attached). Resolve any security warnings, errors, or general warnings generated during the policy validation, and then choose Review policy. Enter a Name for the policy. We recommend that you use `policy-for-eks-rbac` for the policy name. Review the policy Summary to see the permissions that are granted by your policy. Then choose Create policy.	Cloud administrator
Create an IAM role using the policy.	On the IAM console, choose Roles and then choose Create role. Choose AWS Service and then choose EC2 from the list. Choose Next: Permissions and search for the IAM policy that you created earlier. Choose the appropriate tags for your requirements. In the Review section, enter a name for the role. We recommend that you use `role-eks-admin-for-rbac` for the role name. Then choose Create role.	Cloud administrator

Create the IAM policy.

On the IAM console, choose Policies and then choose Create policy. Choose the JSON tab and paste the contents from the policy-for-eks-rbac.json file (attached).

Resolve any security warnings, errors, or general warnings generated during the policy validation, and then choose Review policy. Enter a Name for the policy. We recommend that you use policy-for-eks-rbac for the policy name. Review the policy Summary to see the permissions that are granted by your policy. Then choose Create policy.

Cloud administrator

Create an IAM role using the policy.

On the IAM console, choose Roles and then choose Create role. Choose AWS Service and then choose EC2 from the list. Choose Next: Permissions and search for the IAM policy that you created earlier. Choose the appropriate tags for your requirements.

In the Review section, enter a name for the role. We recommend that you use role-eks-admin-for-rbac for the role name. Then choose Create role.

Cloud administrator

Task Description Skills required

Task	Description	Skills required
Create the AWS Cloud9 environment.	Open the AWS Cloud9 console and choose Create environment. On the Name environment page, enter a name for your environment. We recommend that you use `eks-management-env` for the environment name. Configure the remaining settings according to your requirements and then choose Next step. On the Review page, choose Create environment. Wait while AWS Cloud9 creates your environment. This can take several minutes. For more information about the available configuration options, see Creating an EC2 environment in the AWS Cloud9 documentation.	Cloud administrator
Remove the temporary IAM credentials for AWS Cloud9.	After your AWS Cloud9 environment is provisioned, choose Settings in the gear icon. Under Preferences, choose AWS settings and then choose Credentials. Turn off AWS managed temporary credentials and close the tab.	Cloud administrator
Attach the EC2 instance profile to the underlying EC2 instance.	Open the Amazon EC2 console and choose the EC2 instance that matches your environment in AWS Cloud9. If you used the name that we recommended, the EC2 instance is called `aws-cloud9-eks-management-env`. Choose the EC2 instance, choose Actions, and then choose Instance settings. Choose Attach/replace IAM role. Search for `role-eks-instance-profile-for-cloud9` or the name of the IAM role that you created earlier, and then choose Apply.	Cloud administrator

Create the AWS Cloud9 environment.

Open the AWS Cloud9 console and choose Create environment. On the Name environment page, enter a name for your environment. We recommend that you use eks-management-env for the environment name. Configure the remaining settings according to your requirements and then choose Next step.

On the Review page, choose Create environment. Wait while AWS Cloud9 creates your environment. This can take several minutes.

For more information about the available configuration options, see Creating an EC2 environment in the AWS Cloud9 documentation.

Cloud administrator

Remove the temporary IAM credentials for AWS Cloud9.

After your AWS Cloud9 environment is provisioned, choose Settings in the gear icon. Under Preferences, choose AWS settings and then choose Credentials.

Turn off AWS managed temporary credentials and close the tab.

Cloud administrator

Attach the EC2 instance profile to the underlying EC2 instance.

Open the Amazon EC2 console and choose the EC2 instance that matches your environment in AWS Cloud9. If you used the name that we recommended, the EC2 instance is called aws-cloud9-eks-management-env.

Choose the EC2 instance, choose Actions, and then choose Instance settings. Choose Attach/replace IAM role. Search for role-eks-instance-profile-for-cloud9 or the name of the IAM role that you created earlier, and then choose Apply.

Cloud administrator

Task Description Skills required

Task	Description	Skills required
Create the Amazon EKS cluster.	Download and open the eks-cfn.yaml (attached) template for AWS CloudFormation. Edit the template according to your requirements. Open the AWS Cloud9 environment and choose New file. Paste the AWS CloudFormation template that you created earlier into the field. We recommend that you use eks-cfn.yaml for the template name. In the AWS Cloud9 terminal, run the following command to create the Amazon EKS cluster: `aws cloudformation create-stack --stack-name eks-cluster --template-body file://eks-cfn.yaml --region <your_AWS_Region>` If the AWS CloudFormation call is successful, you receive the AWS CloudFormation stack’s Amazon Resource Name (ARN) in your output. The stack creation can take between 10 to 20 minutes.	Cloud administrator
Verify the Amazon EKS cluster’s status.	On the AWS CloudFormation console, open the Stacks page and then choose the stack name. The stack is created when the stack status code shows `CREATE_COMPLETE`. For more information, see Viewing AWS CloudFormation stack data and resources in the AWS CloudFormation documentation.	Cloud administrator

Create the Amazon EKS cluster.

Download and open the eks-cfn.yaml (attached) template for AWS CloudFormation. Edit the template according to your requirements.

Open the AWS Cloud9 environment and choose New file. Paste the AWS CloudFormation template that you created earlier into the field. We recommend that you use eks-cfn.yaml for the template name.

In the AWS Cloud9 terminal, run the following command to create the Amazon EKS cluster:

aws cloudformation create-stack --stack-name eks-cluster --template-body file://eks-cfn.yaml --region <your_AWS_Region>

If the AWS CloudFormation call is successful, you receive the AWS CloudFormation stack’s Amazon Resource Name (ARN) in your output. The stack creation can take between 10 to 20 minutes.

Cloud administrator

Verify the Amazon EKS cluster’s status.

On the AWS CloudFormation console, open the Stacks page and then choose the stack name.

The stack is created when the stack status code shows CREATE_COMPLETE. For more information, see Viewing AWS CloudFormation stack data and resources in the AWS CloudFormation documentation.

Cloud administrator

Task Description Skills required

Task	Description	Skills required
Install kubectl in the AWS Cloud9 environment.	Install `kubectl` in your AWS Cloud9 environment by following the instructions from Installing kubectl in the Amazon EKS documentation.	Cloud administrator
Update the new Amazon EKS configuration in AWS Cloud9.	Run the following command in the AWS Cloud9 terminal to update the `kubeconfig` from the Amazon EKS cluster to the AWS Cloud9 environment: `aws eks update-kubeconfig --name EKS-DEV2 --region <your_AWS_Region>` Important `EKS-DEV2` is the name of the Amazon EKS cluster in the AWS CloudFormation template that you used to create the cluster. Run the `kubectl get all -A` command to view all Kubernetes resources.	Cloud administrator
Add the administrator IAM role to the Kubernetes RBAC.	Run the following command in your AWS Cloud9 terminal to open the RBAC configuration map for Amazon EKS in edit mode: `kubectl edit cm/aws-auth -n kube-system` Append the following lines under the `mapRoles` section: `- groups: - system:masters rolearn: <ARN_of_IAM_role _from_second_epic> username: eksadmin` Lint the YAML-formatted file to avoid syntax errors. Save the file using `vi` commands and then exit the file. Note By adding this section, you inform the Kubernetes RBAC that `<ARN_of_IAM_role _from_second_epic>` is to receive full administrator access on the Amazon EKS cluster. This means that the identified IAM role can carry out administrative actions on the Kubernetes cluster. AWS adds the existing section under `mapRoles` while the Amazon EKS cluster is provisioned.	Cloud administrator

Install kubectl in the AWS Cloud9 environment.

Install kubectl in your AWS Cloud9 environment by following the instructions from Installing kubectl in the Amazon EKS documentation.

Cloud administrator

Update the new Amazon EKS configuration in AWS Cloud9.

Run the following command in the AWS Cloud9 terminal to update the kubeconfig from the Amazon EKS cluster to the AWS Cloud9 environment:

aws eks update-kubeconfig --name EKS-DEV2 --region <your_AWS_Region>

Important

EKS-DEV2 is the name of the Amazon EKS cluster in the AWS CloudFormation template that you used to create the cluster.

Run the kubectl get all -A command to view all Kubernetes resources.

Cloud administrator

Add the administrator IAM role to the Kubernetes RBAC.

Run the following command in your AWS Cloud9 terminal to open the RBAC configuration map for Amazon EKS in edit mode:

kubectl edit cm/aws-auth -n kube-system

Append the following lines under the mapRoles section:


- groups: 
- system:masters 
rolearn: <ARN_of_IAM_role _from_second_epic> 
username: eksadmin

Lint the YAML-formatted file to avoid syntax errors. Save the file using vi commands and then exit the file.

Note

By adding this section, you inform the Kubernetes RBAC that <ARN_of_IAM_role _from_second_epic> is to receive full administrator access on the Amazon EKS cluster. This means that the identified IAM role can carry out administrative actions on the Kubernetes cluster. AWS adds the existing section under mapRoles while the Amazon EKS cluster is provisioned.

Cloud administrator

Related resources

References

Attachments

To access additional content that is associated with this document, unzip the following file: attachment.zip

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Deploy code in multiple AWS Regions