# EKS Permissions ## **Overview** * EKS clusters need an associated *service-linked* **EKS Role** to access other AWS services. If such a role does not already exist in the account, **Create EKS Role** provides instructions on how to create it. * The Target Account requires some privileges beyond PowerUserAccess to use EKS actions. **Add Inline Policy to Target Account** provides instructions on how to add these privileges.[ ![](https://docs.aws.amazon.com/assets/images/favicon.ico)Using Service-Linked Roles for Amazon EKS - Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/using-service-linked-roles.html) provides more detail on this requirement. ### Managing existing Kubernetes cluster with Fylamynt * If you want to use an existing Kubernetes (k8s) cluster, you must allow one of your Fylamynt [Target Accounts](https://docs.fylamynt.com/integrations/aws) (AWS account configured) to access the k8s cluster. This can be done by associating a [Target Account](https://docs.fylamynt.com/integrations/aws) (AWS account configured) role ARN with a list of K8s groups (i.e. system:masters, system:basic-user). Please follow the instruction in[ ![](https://docs.aws.amazon.com/assets/images/favicon.ico)Managing users or IAM roles for your cluster - Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html) to complete this process. ## **Prerequisites** 1. [Create Role for EKS Control](#create-role-for-eks-control) 2. [Add Inline Policy to Target Account](#add-inline-policy-to-target-account) ### **Create Role for EKS Control** * In the IAM Console, click on \`Create role\`![](blob:https://fylamynt.atlassian.net/41ed068c-b6c6-4a7e-a5fa-a275b8d2d3bb#media-blob-url=true\&id=fc203638-3696-4434-a74e-2f66bdb95f68\&collection=contentId-427556952\&contextId=427556952\&mimeType=image%2Fpng\&name=Screen%20Shot%202021-03-16%20at%2010.48.50%20AM.png\&size=115159\&width=707\&height=314) ![](https://2168485084-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXYvxfYq9m2JdKqaCdk%2F-MaFcA7D-JGpAF2tj9qL%2F-MaFe-DeehXQlMCdTI3j%2Fimage.png?alt=media\&token=c1796051-50eb-4ecc-98af-3607e8425f84) * Select AWS service on the next screen![](blob:https://fylamynt.atlassian.net/1b8869f4-4ce5-4ffe-89e9-53d2cc6604e6#media-blob-url=true\&id=e73664b8-475b-4867-9fec-b4fcd1d876ec\&collection=contentId-427556952\&contextId=427556952\&mimeType=image%2Fpng\&name=Screen%20Shot%202021-03-16%20at%2010.49.27%20AM.png\&size=177713\&width=550\&height=508) ![](https://2168485084-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXYvxfYq9m2JdKqaCdk%2F-MaFcA7D-JGpAF2tj9qL%2F-MaFdyWf-jHWo8Fg6fHE%2Fimage.png?alt=media\&token=7056b7ec-f476-4c49-9977-4983655bb2b2) * Pick EKS as the **service**![](blob:https://fylamynt.atlassian.net/b90208dc-7ef5-474a-900b-de66b950368a#media-blob-url=true\&id=36e53713-e7ac-40ed-aa34-997b188a0210\&collection=contentId-427556952\&contextId=427556952\&mimeType=image%2Fpng\&name=Screen%20Shot%202021-03-16%20at%2010.52.46%20AM.png\&size=203962\&width=550\&height=508) ![](https://2168485084-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXYvxfYq9m2JdKqaCdk%2F-MaFcA7D-JGpAF2tj9qL%2F-MaFdwIVmm6g98uWmgmN%2Fimage.png?alt=media\&token=73e0fbda-66c2-49ea-8dd8-b0a38787e651) * Pick **EKS - Cluster** as the specific use case in the lower half of the page![](blob:https://fylamynt.atlassian.net/8b44b36c-1bf7-4956-90d8-fc88e3640084#media-blob-url=true\&id=3c5f2ecc-cea4-490b-ab83-ee209c58e9f5\&collection=contentId-427556952\&contextId=427556952\&mimeType=image%2Fpng\&name=Screen%20Shot%202021-03-16%20at%2010.53.47%20AM.png\&size=63038\&width=550\&height=204) ![](https://2168485084-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXYvxfYq9m2JdKqaCdk%2F-MaFcA7D-JGpAF2tj9qL%2F-MaFdu9KTh8VeI7nV_n3%2Fimage.png?alt=media\&token=34c4b734-9c8f-4040-aea1-da326b0c14ba) * Click on Next: Tags and add any tags that you want![](blob:https://fylamynt.atlassian.net/f396eedf-5232-4219-a19a-c9b4808f826e#media-blob-url=true\&id=1dba4c3b-62f4-4f2f-b723-336b9e8d80d5\&collection=contentId-427556952\&contextId=427556952\&mimeType=image%2Fpng\&name=Screen%20Shot%202021-03-16%20at%2010.54.29%20AM.png\&size=24693\&width=415\&height=159) ![](https://2168485084-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXYvxfYq9m2JdKqaCdk%2F-MaFcA7D-JGpAF2tj9qL%2F-MaFdsA6wenw3EU6Mdf3%2Fimage.png?alt=media\&token=4126995a-cbb7-48e4-9763-c0d582f4d2e9) * Add a **Role name**, save.![](blob:https://fylamynt.atlassian.net/b4253bc5-55bc-4da5-b3e2-130351a2ee4a#media-blob-url=true\&id=e78f2410-e27d-4758-aff0-a159930d02b7\&collection=contentId-427556952\&contextId=427556952\&mimeType=image%2Fpng\&name=Screen%20Shot%202021-03-16%20at%2010.55.38%20AM.png\&size=124231\&width=678\&height=414) ![](https://2168485084-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXYvxfYq9m2JdKqaCdk%2F-MaFcA7D-JGpAF2tj9qL%2F-MaFdo7DtqIIYmaKbRYt%2Fimage.png?alt=media\&token=23048188-59bc-4870-ada8-0c8247147411) * Search for the **Role name** on the next screen and click on it![](blob:https://fylamynt.atlassian.net/31c47ae7-f200-4810-8e41-43f376fec25f#media-blob-url=true\&id=d5f42190-537a-47d7-bc0a-d62208a5dca5\&collection=contentId-427556952\&contextId=427556952\&mimeType=image%2Fpng\&name=Screen%20Shot%202021-03-16%20at%2010.58.39%20AM.png\&size=61948\&width=709\&height=274) ![](https://2168485084-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXYvxfYq9m2JdKqaCdk%2F-MaFcA7D-JGpAF2tj9qL%2F-MaFdlOlBVnNkQlJZ2SG%2Fimage.png?alt=media\&token=c54e302b-d60d-4908-8526-1eacae306912) * Note down the **Role ARN** ![](https://2168485084-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXYvxfYq9m2JdKqaCdk%2F-MaFcA7D-JGpAF2tj9qL%2F-MaFdgCiWy2RCXF7qmq2%2Fimage.png?alt=media\&token=04d7d759-057b-4781-b06b-140961da6efa) ### **Add Inline Policy to Target Account** * Find the target account in the **IAM** console:![](blob:https://fylamynt.atlassian.net/c08d0b09-190c-4434-b34c-28420cf3ba99#media-blob-url=true\&id=bd0419d8-06a3-4bb0-a8cd-658450ecb9d1\&collection=contentId-427556952\&contextId=427556952\&mimeType=image%2Fpng\&name=Screen%20Shot%202021-03-17%20at%2012.03.55%20PM.png\&size=221736\&width=1046\&height=526) ![](https://2168485084-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXYvxfYq9m2JdKqaCdk%2F-MaFcA7D-JGpAF2tj9qL%2F-MaFd_hALRSwrPkoMABn%2Fimage.png?alt=media\&token=c42b52ba-6810-4d3b-a4a8-cffd4b2993c5) * Click on **Add inline policy**![](blob:https://fylamynt.atlassian.net/0d9d8aa8-dd00-4829-935a-4e679d15123c#media-blob-url=true\&id=a8ffaa1a-3680-41a8-823d-615ce635d0bd\&collection=contentId-427556952\&contextId=427556952\&mimeType=image%2Fpng\&name=Screen%20Shot%202021-03-17%20at%2012.04.17%20PM.png\&size=173530\&width=1124\&height=535) ![](https://2168485084-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXYvxfYq9m2JdKqaCdk%2F-MaFcA7D-JGpAF2tj9qL%2F-MaFdcNmG7zv3zJkmZvM%2Fimage.png?alt=media\&token=4990f1cc-921a-45d4-b9f0-39eb9af9e333) * Click on **Choose a service**, enter *IAM* in the search box, then select **IAM**![](blob:https://fylamynt.atlassian.net/d400f417-8c41-406e-99a1-31acb30c0b1f#media-blob-url=true\&id=141635d8-79e0-4535-afa9-89c8090fc2e5\&collection=contentId-427556952\&contextId=427556952\&mimeType=image%2Fpng\&name=Screen%20Shot%202021-03-17%20at%2012.04.39%20PM.png\&size=190290\&width=1124\&height=535) ![](https://2168485084-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXYvxfYq9m2JdKqaCdk%2F-MaFcA7D-JGpAF2tj9qL%2F-MaFdWpx62XooBrFb6BA%2Fimage.png?alt=media\&token=057431e1-e0ca-4059-ac0e-97606f400601) * Click on the Chevron for **Write**, select **PassRole**![](blob:https://fylamynt.atlassian.net/fb209d7f-8cd9-4a69-b2a1-ac91ccbdb593#media-blob-url=true\&id=ff36ef13-e3dc-4221-9924-ef820e9245ca\&collection=contentId-427556952\&contextId=427556952\&mimeType=image%2Fpng\&name=Screen%20Shot%202021-03-17%20at%2012.05.10%20PM.png\&size=308505\&width=1124\&height=535) ![](https://2168485084-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXYvxfYq9m2JdKqaCdk%2F-MaFcA7D-JGpAF2tj9qL%2F-MaFdUWb5X26ki3rlSdu%2Fimage.png?alt=media\&token=a0835cbe-8c2c-48af-b888-8196ca3eb5f9) * Once **PassRole** is selected, specify the **role** resource ARN by clicking on the **Resources** chevron ![](https://2168485084-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXYvxfYq9m2JdKqaCdk%2F-MaFcA7D-JGpAF2tj9qL%2F-MaFdDlfFbnTfX1lA6Xa%2Fimage.png?alt=media\&token=b5219dbe-d2aa-481e-a557-296d2fca64ba) * Click on **Add ARN**![](blob:https://fylamynt.atlassian.net/3db7a7a6-644a-4d6e-9082-e364ee9689ad#media-blob-url=true\&id=9df6f2c8-d632-45b7-92cb-13297d9a8704\&collection=contentId-427556952\&contextId=427556952\&mimeType=image%2Fpng\&name=Screen%20Shot%202021-03-17%20at%2012.07.15%20PM.png\&size=163247\&width=1124\&height=535) ![](https://2168485084-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXYvxfYq9m2JdKqaCdk%2F-MaFcA7D-JGpAF2tj9qL%2F-MaFd9miavcMHGDccAmx%2Fimage.png?alt=media\&token=962d0db0-415f-407b-a56d-1e17ddf862c0) * Enter the full ARN from the **Role ARN** noted earlier, click on **Add.**![](blob:https://fylamynt.atlassian.net/7be03340-9a97-4fcb-9a11-3b12acd3d320#media-blob-url=true\&id=70229985-5411-4c50-bd20-fa33ec8ae848\&collection=contentId-427556952\&contextId=427556952\&mimeType=image%2Fpng\&name=Screen%20Shot%202021-03-17%20at%2012.07.44%20PM.png\&size=257937\&width=1124\&height=535) ![](https://2168485084-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXYvxfYq9m2JdKqaCdk%2F-MaFcA7D-JGpAF2tj9qL%2F-MaFd7mSBotSyP4QHeNN%2Fimage.png?alt=media\&token=d583c27b-c66b-4483-9116-a4fab7bccd0c) * Click on **Review policy**![](blob:https://fylamynt.atlassian.net/401aeaa2-b9e9-469d-ba6e-918200a9a19a#media-blob-url=true\&id=34c031dc-ca5f-4a9b-b906-d0bb26b1923e\&collection=contentId-427556952\&contextId=427556952\&mimeType=image%2Fpng\&name=Screen%20Shot%202021-03-17%20at%2012.07.58%20PM.png\&size=182413\&width=1124\&height=535) ![](https://2168485084-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXYvxfYq9m2JdKqaCdk%2F-MaFcA7D-JGpAF2tj9qL%2F-MaFd5lmph3ypqwDRw6o%2Fimage.png?alt=media\&token=f0fbcf17-d3cf-4b9b-93a2-bf393158ab72) * Click on **Create policy**![](blob:https://fylamynt.atlassian.net/d4f4d024-24fb-4e07-b1da-3b019ad1dd7c#media-blob-url=true\&id=72498181-dee3-4512-ae5f-f924121189dc\&collection=contentId-427556952\&contextId=427556952\&mimeType=image%2Fpng\&name=Screen%20Shot%202021-03-17%20at%2012.08.26%20PM.png\&size=146815\&width=1124\&height=535) ![](https://2168485084-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXYvxfYq9m2JdKqaCdk%2F-MaFcA7D-JGpAF2tj9qL%2F-MaFd3YMwddFNPrMx6Mz%2Fimage.png?alt=media\&token=16226eaf-6476-477d-b31f-6fa493ca198e) ## Configure the Resource * Navigate to **Settings** > **Resource** > **EKS Permissions**. * Click **Manage EKS Permissions** to create an integration instance. * Click on **Add New** Details needed to provide **EKS Permissions** to **Fylamynt**: | **Parameter** | Description | **Required** | | --------------- | ------------------------------------------------------------------------------------- | ------------ | | Account Alias | Target account in which to perform EKS operations | True | | Name | Reference name for this instance. This will show up in resource menus for EKS actions | True | | Assume Role ARN | The **Role ARN** from **Create Role for EKS Control** | True | Sample EKS Permission:![](blob:https://fylamynt.atlassian.net/7049a0d2-1525-49ca-9ddd-4e0db3e7ebbd#media-blob-url=true\&id=e909fd49-9734-415e-b5f1-fa0acef6a289\&collection=contentId-427556952\&contextId=427556952\&mimeType=image%2Fpng\&name=Screen%20Shot%202021-05-21%20at%2010.33.48%20AM.png\&size=49626\&width=1143\&height=194) ![](https://2168485084-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXYvxfYq9m2JdKqaCdk%2F-MaFcA7D-JGpAF2tj9qL%2F-MaFcqcqr8VLnWTdYPVg%2Fimage.png?alt=media\&token=cff95f2d-1c82-49d5-8be9-5cf3e33e6715) ## Integration Actions 1. [Deploy Cluster](#deploy-cluster) ### Deploy Cluster The action can be used to create/deploy an EKS Cluster. ![](https://2168485084-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXYvxfYq9m2JdKqaCdk%2F-MaFcA7D-JGpAF2tj9qL%2F-MaFcnAoKNFniHPfutjQ%2Fimage.png?alt=media\&token=c3547c73-d11b-4767-a305-3aa108fcf2b5) The role\_arn parameter should match the one from **Create Role for EKS Control.** The alias should match an alias with the additional inline policy applied.