Creating the IAM Role for EKS

To create the EKS role and assign policies to it:

  1. Run the following command:
    aws iam create-role \
    --role-name <role name> \
    --assume-role-policy-document <role policy document>

Where:

<role name>: A name chosen for ease of reference; in our examples, we will use srgdemo-eks-svc-role.

<role policy document>: The location of a JSON document granting temporary security credentials to perform actions on resources and defining which resources are accessible. There is a ready-to-use document named EksRolePolicyDocument.json of the download package arcsight-platform-cloud-installer-XX.X.X.XXX.zip, after unzipping, in the in the objectdefs folder. This document defines that the cluster can request temporary security credentials to eks.amazonaws.com only.

Example output:

{
  "Role": {
    "AssumeRolePolicyDocument": "<URL-encoded-JSON>",
    "RoleId": "AKIAIOSFODNN7EXAMPLE",
    "CreateDate": "2013-06-07T20:43:32.821Z",
    "RoleName": "Test-Role",
    "Path": "/",
    "Arn": "arn:aws:iam::123456789012:role/Test-Role"
    }
}
  1. Record the ARN (Amazon Resource Name) value in your AWS worksheet.

Example input and output:

aws iam create-role \
--role-name srgdemo-eks-svc-role \
--assume-role-policy-document file://./jsons/EksRolePolicyDocument.json
{
    "Role": {
        "Path": "/",
        "RoleName": "srgdemo-eks-svc-role",
        "RoleId": "AROARVXFDN4TOT5P3E3AQ",
        "Arn": "arn:aws:iam::115370811111:role/srgdemo-eks-svc-role",
        "CreateDate": "2020-05-18T12:10:48Z",
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "eks.amazonaws.com"
                    },
                    "Action": "sts:AssumeRole"
                }
            ]
        }
    }
}

Note the `Arn` value `arn:aws:iam::115370811111:role/srgdemo-eks-svc-role`.

  1. Attach a policy to the EKS role by running the command:
    aws iam attach-role-policy \
    --role-name <role name> \
    --policy-arn <policy arn>

Where:

<role name> is the role name you have chosen when creating a new role

<policy arn> is the policy ARN from the description above.

  1. Repeat Step 3 for the next policy, changing the policy ARN to match.

Example command with example policy name:

aws iam attach-role-policy \
--role-name srgdemo-eks-svc-role \
--policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy

Next Step:

Creating the Worker Node Role