- Newest
- Most votes
- Most comments
Hello Saini,
1. Separate IAM Role Creation:
- Create the IAM role outside of your CloudFormation template. Define the necessary permissions in the IAM console or using the AWS CLI.
Create separate IAM roles:
aws iam create-role --role-name NodeInstanceRole1 --assume-role-policy-document file://trust-policy.json aws iam attach-role-policy --role-name NodeInstanceRole1 --policy-arn arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
aws iam create-role --role-name NodeInstanceRole2 --assume-role-policy-document file://trust-policy.json aws iam attach-role-policy --role-name NodeInstanceRole2 --policy-arn arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
2. Reference the Existing Role in Node Groups:
- In your CloudFormation template, under each node group definition, specify the instanceRoleARN property with the ARN of the pre-created IAM role.
Update your configuration to use these roles:
nodeGroups:
- name: node-group-1
instanceType: t3.medium
desiredCapacity: 2
iam:
instanceRoleARN: arn:aws:iam::123456789012:role/NodeInstanceRole1
- name: node-group-2
instanceType: t3.medium
desiredCapacity: 2
iam:
instanceRoleARN: arn:aws:iam::123456789012:role/NodeInstanceRole2
- By separating the role creation and referencing the existing ARN, CloudFormation won't try to create a duplicate role for each node group and also enhances security and manageability of permissions across different node groups in your EKS cluster.
Hi Use a Single CloudFormation Stack for All Node Groups
One approach is to define all your node groups within a single CloudFormation stack. This way, you can reuse the same IAM role without running into the issue of it being attached to multiple stacks.
Create IAM Roles Externally and Reference Them in CloudFormation Create the IAM role outside of CloudFormation, using the AWS Management Console, AWS CLI, or a dedicated CloudFormation stack for IAM roles. Then, reference this existing role in the CloudFormation templates for your node groups.
For example, create the IAM role with the following AWS CLI command:
**
aws iam create-role --role-name MyEKSNodeRole --assume-role-policy-document file://trust-policy.json **
Add Necessary Permissions to Node Group-Specific Roles If you must create multiple roles, ensure each role has the necessary permissions. You can use IAM policies to define the required permissions and attach these policies to the roles.
Implementation Example Here's an example CloudFormation template that references an externally created IAM role:
Resources: MyNodeGroup: Type: AWS::EKS::Nodegroup Properties: ClusterName: !Ref EKSClusterName NodeRole: arn:aws:iam::<account-id>:role/MyEKSNodeRole ...
Best Practices
- Minimal Permissions: Always adhere to the principle of least privilege. Only grant the permissions necessary for the node groups to function.
- Role Naming Conventions: Use a clear naming convention for IAM roles to easily identify which node group or purpose they serve.
- Documentation: Document the roles and policies used in your setup to ensure future maintainability and ease of troubleshooting.
Relevant content
- asked a year ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago