EKS clusters need an associated service-linked EKS Role to access other AWS services. If such a role does not already exist in the account, Create EKS Role provides instructions on how to create it.
The Target Account requires some privileges beyond PowerUserAccess to use EKS actions. Add Inline Policy to Target Account provides instructions on how to add these privileges. Using Service-Linked Roles for Amazon EKS - Amazon EKS provides more detail on this requirement.
If you want to use an existing Kubernetes (k8s) cluster, you must allow one of your Fylamynt Target Accounts (AWS account configured) to access the k8s cluster. This can be done by associating a Target Account (AWS account configured) role ARN with a list of K8s groups (i.e. system:masters, system:basic-user). Please follow the instruction in Managing users or IAM roles for your cluster - Amazon EKS to complete this process.
In the IAM Console, click on `Create role`
Select AWS service on the next screen
Pick EKS as the service
Pick EKS - Cluster as the specific use case in the lower half of the page
Click on Next: Tags and add any tags that you want
Add a Role name, save.
Search for the Role name on the next screen and click on it
Note down the Role ARN
Find the target account in the IAM console:
Click on Add inline policy
Click on Choose a service, enter IAM in the search box, then select IAM
Click on the Chevron for Write, select PassRole
Once PassRole is selected, specify the role resource ARN by clicking on the Resources chevron
Click on Add ARN
Enter the full ARN from the Role ARN noted earlier, click on Add.
Click on Review policy
Click on Create policy
Navigate to Settings > Resource > EKS Permissions.
Click Manage EKS Permissions to create an integration instance.
Click on Add New
Details needed to provide EKS Permissions to Fylamynt:
Target account in which to perform EKS operations
Reference name for this instance. This will show up in resource menus for EKS actions
Assume Role ARN
The Role ARN from Create Role for EKS Control
Sample EKS Permission:
The action can be used to create/deploy an EKS Cluster.
The role_arn parameter should match the one from Create Role for EKS Control. The alias should match an alias with the additional inline policy applied.