Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to attach role/policy to EKS Cluster? (giving it permission to tag)

0

I've run into a node not joining issue for Auto Mode & was recommended this tag workaround suggested here: https://docs.aws.amazon.com/eks/latest/userguide/auto-troubleshoot.html#auto-troubleshoot-join which points to here: https://docs.aws.amazon.com/eks/latest/userguide/auto-learn-iam.html#tag-prop Second link gives "an example of a policy that will unrestricted tagging access". Sounds good.. but how do I actually apply it to the EKS Auto group?

I created my cluster with a command like:

eksctl create cluster --enable-auto-mode=True --name=my-name --region=my-region --tags=some_tag=foo --vpc-nat-mode=Disable --with-oidc=True

I inspected my cluster & saw it had an attached role of AWSServiceRoleForAmazonEKS with an attached policy of AmazonEKSServiceRolePolicy. Unfortunately I couldn't edit either of those.. I also found this help page which was well not helpful at all: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-service-linked-role.html In that it actually just talked about changing the description, which is fairly useless.

Instead I tried creating a new role AWSRoleForAmazonEKSCustom which copied the policy from the above tag-prop info. However, my new cluster didn't use that role. I tried creating a new cluster & using --authenticator-role-arn=arn_for_my_role_AWSRoleForAmazonEKSCustom but this seemed to be perhaps authentication for accessing the cluster from other services, not for the cluster accessing other services, as then I got various the server has asked for the client to provide credentials error messages when running kubectl commands.

Ok, so finally the question. How can I do either of the below things?

  • Modify the AWSServiceRoleForAmazonEKS policy (which seems to be the default for all EKS clusters). This would be my preferred approach since I might make multiple clusters.
  • Specifically give my new EKS cluster the AWSRoleForAmazonEKSCustom role in a manual second step. Ideally doing this with a CLI command.
Topics
ContainersSecurity, Identity, & Compliance
Tags
AWS Identity and Access ManagementAmazon Elastic Kubernetes Service
Language
English
asked 8 months ago862 views
3 Answers
0
Accepted Answer

Hello,

Based on the information provided, I believe you've created custom nodeclass which has tags in it.

If this is your use-case, then you should be noticing that no auto worker nodes getting launched on EC2 console. I replicated this in environment, and observed the following message when describe the nodeclaim.


Error getting launch template configs: User is not authorized to perform this operation because no identity-based policy allows it

As stated in the documentation[1], by default, the managed policies related to EKS Auto Mode do not permit applying user defined tags to Auto Mode provisioned AWS resources. If you want to apply user defined tags, then you should attach the sample IAM policy[2] to the EKS Auto Cluster Role[2].

In my replication, after adding the custom policy[2] to my EKS cluster role, the worker nodes are able launch & join the cluster successfully.

Furthermore, We cannot alter the service-linker role "AWSServiceRoleForAmazonEKS", and neither its required. The purpose of this role is to manage resources such as ENIs, VPCs, SG's.



I'd recommend you to create a custom EKS Cluster Auto role. This role should have the required managed policies as mentioned in the doc[3], and a custom policy[2] which allows user defined tags. You can use the below same ClusterConfig manifest as a reference to create multiple clusters with a same cluster role. Refer[4] for more information on ClusterConfig.



apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
    name: auto-mode-cluster
    region: eu-west-1
iam:
  serviceRoleARN: "<EKS-Auto-Cluster-Role-Arn>"
autoModeConfig:
    enabled: true

[+] eksctl create cluster -f <file-name>.yaml

[1] https://docs.aws.amazon.com/eks/latest/userguide/auto-learn-iam.html

[2] https://docs.aws.amazon.com/eks/latest/userguide/auto-learn-iam.html#tag-prop

[3] https://docs.aws.amazon.com/eks/latest/userguide/auto-cluster-iam-role.html

[4] https://eksctl.io/usage/schema/

AWS
answered 8 months ago
EXPERT
reviewed 8 months ago
0

I found eksctl create iamserviceaccount as discussed here: https://eksctl.io/usage/iamserviceaccounts/

Which I believe does what I am asking. Full command: eksctl create iamserviceaccount --cluster=my-name --region=my-region --name=myeksiamtag --attach-policy-arn=custom-tag-policy-arn --approve

answered 8 months ago
EXPERT
reviewed 8 months ago
-1

To address your issue with node joining in EKS Auto Mode and apply the necessary permissions for tagging, you'll need to modify the IAM role associated with your EKS cluster. Here's how you can do it:

  1. First, identify the IAM role associated with your EKS cluster. This is typically not the AWSServiceRoleForAmazonEKS, but a custom role created for your cluster.

  2. Once you've identified the correct role (it should be named something like AmazonEKSAutoClusterRole or eksClusterRole), you need to modify its permissions and trust relationship.

  3. To add the tagging permissions, you'll need to attach a custom policy to this role. You can do this using the AWS CLI:

    aws iam put-role-policy --role-name YourEKSClusterRoleName --policy-name EKSTaggingPolicy --policy-document file://tagging-policy.json

    Where tagging-policy.json contains the policy for unrestricted tagging access you mentioned.

  4. Next, you need to update the trust relationship of the role to include the sts:TagSession action. You can do this by editing the trust policy:

    aws iam update-assume-role-policy --role-name YourEKSClusterRoleName --policy-document file://trust-policy.json

    Where trust-policy.json contains:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "eks.amazonaws.com"
      },
      "Action": [
        "sts:AssumeRole",
        "sts:TagSession"
      ]
    }
  ]
}

  5. If you're creating a new cluster, you can specify the role ARN when creating the cluster:

    eksctl create cluster --name my-cluster --region my-region --service-role arn:aws:iam::ACCOUNT_ID:role/YourEKSClusterRoleName

Remember, you cannot directly modify the AWSServiceRoleForAmazonEKS as it's a service-linked role managed by AWS. Instead, you should be working with the custom role created for your EKS cluster.

If you've already created the cluster without the correct permissions, you may need to update the cluster to use the modified role. This can typically be done through the EKS console or using the AWS CLI, but the exact process may vary depending on how the cluster was initially set up.
Sources
Amazon EKS Auto Mode cluster IAM role - Amazon EKS
Amazon EKS cluster IAM role - Amazon EKS
Enable EKS Auto Mode on an existing cluster - Amazon EKS

answered 8 months ago
  • zach
    8 months ago

    This doesn't seem to be the right answer. The answer covers how to setup the policy with TagSession permissions, which I've already done by copy pasting the policy & assigning it to a role. Then it says how to specify the ARN using eksctl create cluster --name my-cluster --region my-region --service-role arn:aws:iam::ACCOUNT_ID:role/YourEKSClusterRoleName but this seems to be pure hallucination, since eksctl create cluster --help has no mention of a --service-role flag. Finally it gives a very hand wavey "you may need to update the cluster to use the modified role" answer, but it gives no example of how to do so, which is what my question is actually asking.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content