Issue with Attaching IAM Role to Multiple Node Groups in AWS EKS

0

Hello AWS Community,

I'm facing an issue with attaching an IAM role to multiple node groups in my AWS EKS cluster. Here are the details:

I have an IAM role with specific permissions that I use for my node groups. When I create a node group and attach this IAM role, the node group is created successfully without any issues. However, when I try to use the same IAM role for a new node group, I encounter an error in CloudFormation stating that the role already exists in another stack. Is there a way to reuse the same IAM role across multiple node groups without encountering this CloudFormation error? If not, what would be the recommended approach to handle IAM roles for multiple node groups in the same EKS cluster?

Any guidance or best practices would be greatly appreciated!

Thank you!

I am attaching the code:

nodeGroups:

  • name: node-group-1 instanceType: t3.medium desiredCapacity: 2 iam: instanceRoleARN: arn:aws:iam::123456789012:role/NodeInstanceRole

  • name: node-group-2 instanceType: t3.medium desiredCapacity: 2 iam: instanceRoleARN: arn:aws:iam::123456789012:role/NodeInstanceRole

saini
asked 4 months ago696 views
2 Answers
2

Hello Saini,

1. Separate IAM Role Creation:

  • Create the IAM role outside of your CloudFormation template. Define the necessary permissions in the IAM console or using the AWS CLI.

Create separate IAM roles:

aws iam create-role --role-name NodeInstanceRole1 --assume-role-policy-document file://trust-policy.json aws iam attach-role-policy --role-name NodeInstanceRole1 --policy-arn arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy

aws iam create-role --role-name NodeInstanceRole2 --assume-role-policy-document file://trust-policy.json aws iam attach-role-policy --role-name NodeInstanceRole2 --policy-arn arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy

2. Reference the Existing Role in Node Groups:

  • In your CloudFormation template, under each node group definition, specify the instanceRoleARN property with the ARN of the pre-created IAM role.

Update your configuration to use these roles:

nodeGroups:
  - name: node-group-1
    instanceType: t3.medium
    desiredCapacity: 2
    iam:
      instanceRoleARN: arn:aws:iam::123456789012:role/NodeInstanceRole1

  - name: node-group-2
    instanceType: t3.medium
    desiredCapacity: 2
    iam:
      instanceRoleARN: arn:aws:iam::123456789012:role/NodeInstanceRole2

  • By separating the role creation and referencing the existing ARN, CloudFormation won't try to create a duplicate role for each node group and also enhances security and manageability of permissions across different node groups in your EKS cluster.
profile picture
EXPERT
answered 4 months ago
EXPERT
reviewed 4 months ago
EXPERT
reviewed 4 months ago
1

Hi Use a Single CloudFormation Stack for All Node Groups

One approach is to define all your node groups within a single CloudFormation stack. This way, you can reuse the same IAM role without running into the issue of it being attached to multiple stacks.

Create IAM Roles Externally and Reference Them in CloudFormation Create the IAM role outside of CloudFormation, using the AWS Management Console, AWS CLI, or a dedicated CloudFormation stack for IAM roles. Then, reference this existing role in the CloudFormation templates for your node groups.

For example, create the IAM role with the following AWS CLI command:

**

aws iam create-role --role-name MyEKSNodeRole --assume-role-policy-document file://trust-policy.json **

Add Necessary Permissions to Node Group-Specific Roles If you must create multiple roles, ensure each role has the necessary permissions. You can use IAM policies to define the required permissions and attach these policies to the roles.

Implementation Example Here's an example CloudFormation template that references an externally created IAM role:

Resources: MyNodeGroup: Type: AWS::EKS::Nodegroup Properties: ClusterName: !Ref EKSClusterName NodeRole: arn:aws:iam::<account-id>:role/MyEKSNodeRole ...

Best Practices

  • Minimal Permissions: Always adhere to the principle of least privilege. Only grant the permissions necessary for the node groups to function.
  • Role Naming Conventions: Use a clear naming convention for IAM roles to easily identify which node group or purpose they serve.
  • Documentation: Document the roles and policies used in your setup to ensure future maintainability and ease of troubleshooting.
profile picture
EXPERT
Sandeep
answered 4 months ago
EXPERT
reviewed 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions