aws setup aws account iam for eks
The scope of this section is to prepare an AWS account to be ready for deploying in AWS EKS. By the end of this guide, a new IAM user belonging to a group with the required permissions will be created.
-
An AWS account with IAM full access permission.
In case you do not have an account or permission to create new IAM users, request it to your AWS administrator asking for the following policies being attached. Then go to Check IAM user permissions.
AmazonEC2FullAccess
IAMReadOnlyAccess
AmazonEKSServicePolicy
AmazonS3FullAccess
AmazonEC2ContainerRegistryFullAccessThe script located at /scripts/accounts/aws/create-user.sh will automatically create a user, also enrolling it in a newly created group with the required policies attached.
In case you do not have an AWS access key (needed to authenticate through API), follow this guide to create it.
create-user.sh \
-u <username> \
-g <group> \
[-p <policies...>] \
[-f <policies file path>] \
[-c <custom policies file path>] \
[-a <AWS access key>] \
[-s <AWS secret key>] \
[-r <region>] -u [Required] Username for the new user
-g [Required] Group name for the group to be created or used
-p [Optional] Policies to be attached to the group, splitted by comma
-f [Optional] Path to a file containing the policies to be attached to the group
-c [Optional] Path to a json file containing the custom policies to be attached to the group.
-a [Optional] AWS administrator access key
-s [Optional] AWS administrator secret key
-r [Optional] AWS region./create-user.sh -u Bob -g DevOps -f ./eks-managed-policies.txt -c ./eks-custom-policies.json -a "myAccessKey" -s "mySecretKey" -r eu-west-1|
Note
|
Required policies for using EKS are located at /scripts/accounts/aws/eks-managed-policies.txt and /scripts/accounts/aws/eks-custom-policies.json
|
The script located at /scripts/accounts/aws/verify-account-policies.sh will check that the necessary policies were attached to the IAM user.
verify-account-policies.sh \
-u <username> \
[-p <policies...>] \
[-f <policies file path>] \
[-c <custom policies file path>] \
[-a <AWS access key>] \
[-s <AWS secret key>] \
[-r <region>] -u [Required] Username whose policies will be checked
-p [Optional] Policies to be checked, splitted by comma
-f [Optional] Path to a file containing the policies to be checked
-c [Optional] Path to a file containing the custom policies to be checked
-a [Optional] AWS administrator access key
-s [Optional] AWS administrator secret key
-r [Optional] AWS region-p, -f or -c) is required.
./verify-account-policies.sh -u Bob -f ./eks-managed-policies.txt -c ./eks-custom-policies.json -a "myAccessKey" -s "mySecretKey" -r eu-west-1OK or FAILED depending on the attachment status.
|
Note
|
Required policies for using EKS are located at /scripts/accounts/aws/eks-managed-policies.txt and /scripts/accounts/aws/eks-custom-policies.json
|
Once you have been provided with an IAM user with the required policies attached, setup the AWS CLI using the following command:
aws configureAWS Access Key ID [None]: <accessKeyID>
AWS Secret Access Key [None]: <secretAccessKey>
Default region name [None]: eu-west-1
Default output format [None]: json
This documentation is licensed under the Creative Commons License (Attribution-NoDerivatives 4.0 International).
