This workshop has been deprecated and archived. The new Amazon EKS Workshop is now available at www.eksworkshop.com.
We are going to create 3 roles:
Create the roles:
export ACCOUNT_ID=$(aws sts get-caller-identity --output text --query Account)
export POLICY=$(echo -n '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::'; echo -n "$ACCOUNT_ID"; echo -n ':root"},"Action":"sts:AssumeRole","Condition":{}}]}')
echo ACCOUNT_ID=$ACCOUNT_ID
echo POLICY=$POLICY
aws iam create-role \
--role-name k8sAdmin \
--description "Kubernetes administrator role (for AWS IAM Authenticator for Kubernetes)." \
--assume-role-policy-document "$POLICY" \
--output text \
--query 'Role.Arn'
aws iam create-role \
--role-name k8sDev \
--description "Kubernetes developer role (for AWS IAM Authenticator for Kubernetes)." \
--assume-role-policy-document "$POLICY" \
--output text \
--query 'Role.Arn'
aws iam create-role \
--role-name k8sInteg \
--description "Kubernetes role for integration namespace in quick cluster." \
--assume-role-policy-document "$POLICY" \
--output text \
--query 'Role.Arn'
In this example, the assume-role-policy allows the root account to assume the role. We are going to allow specific groups to also be able to assume those roles. Check the official documentation for more information.
Because the above roles are only used to authenticate within our EKS cluster, they don’t need to have AWS permissions. We will only use them to allow some IAM groups to assume this role in order to have access to our EKS cluster.