Create EKS IAM RolePrivate Preview
This page describes how to create and configure an IAM role for Zilliz Cloud to deploy an EKS cluster for your Zilliz Cloud project.
Procedure
You can use the AWS console to create the EKS role. As an alternative, you can use the Terraform script Zilliz Cloud provides to bootstrap the infrastructure for your Zilliz Cloud project on AWS. For details, refer to Bootstrap Project Infrastructure (Terraform).
Step 1: Create an IAM role
In this step, you will create an IAM role on AWS for Zilliz Cloud to manage EKS clusters on your behalf and paste the ARN of the role back to Zilliz Cloud console.
Upon the creation of an EKS cluster, two service-linked roles will also be automatically created along with the cluster, and they are AmazonEKSServiceRolePolicy and AWSServiceRoleForAmazonEKSNodegroup. These two roles are required for Amazon EKS to call other AWS services on your behalf.
-
Log into your AWS Console as a user with administrator privileges and go to the IAM dashboard.
-
Expand your account information, and click the copy button at the start of your AWS Account ID.
-
Click the Roles tab in the left sidebar, and then click Create Role.
-
In Select trusted entity, click the Custom trust policy tile. In Common trust policy, paste the trust JSON from below into the editor in the Custom trust policy section and replace
{accountId}with your AWS Account ID.{
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Service" : "eks-nodegroup.amazonaws.com"
},
"Action" : "sts:AssumeRole"
},
{
"Sid" : "EKSClusterAssumeRole",
"Effect" : "Allow",
"Principal" : {
"Service" : "eks.amazonaws.com"
},
"Action" : "sts:AssumeRole"
},
{
"Sid" : "EKSNodeAssumeRole",
"Effect" : "Allow",
"Principal" : {
"Service" : "ec2.amazonaws.com"
},
"Action" : "sts:AssumeRole"
},
{
"Effect" : "Allow",
"Principal" : {
"Federated" : "arn:aws:iam::{accountId}:oidc-provider/eks_oidc_url"
},
"Action" : "sts:AssumeRoleWithWebIdentity",
"Condition" : {
"StringEquals" : {
"eks_oidc_url:aud" : "sts.amazonaws.com",
"eks_oidc_url:sub" : "system:serviceaccount:kube-system:aws-load-balancer-controller"
}
}
},
{
"Effect" : "Allow",
"Principal" : {
"Federated" : "arn:aws:iam::{accountId}:oidc-provider/eks_oidc_url"
},
"Action" : "sts:AssumeRoleWithWebIdentity",
"Condition" : {
"StringEquals" : {
"eks_oidc_url:sub" : "system:serviceaccount:kube-system:ebs-csi-controller-sa",
"eks_oidc_url:aud" : "sts.amazonaws.com"
}
}
},
{
"Effect" : "Allow",
"Principal" : {
"Federated" : "arn:aws:iam::{accountId}:oidc-provider/eks_oidc_url"
},
"Action" : "sts:AssumeRoleWithWebIdentity",
"Condition" : {
"StringEquals" : {
"eks_oidc_url:sub" : "system:serviceaccount:kube-system:cluster-autoscaler",
"eks_oidc_url:aud" : "sts.amazonaws.com"
}
}
}
]
}
-
Click Next and skip adding permissions.
-
In the Name, review, and create step, name the role, review the trusted entities, and click Create role.
📘NotesWhen naming the role, use the prefix
zilliz-byoc. -
Once the role has been created, click View role in the green bar to go to the role details.
-
Click the copy icon in front of the role's ARN.
-
Go back to the Zilliz Cloud console, paste the role ARN in IAM Role ARN under EKS settings.
Step 2: Add permissions
In this step, you are going to add several permissions to the EKS role. On the role's details page, click the Permissions tab. In the Permissions policies section, click Add permissions. In this step, you need to select Attach policies and then Create inline policy to add multiple policies from different sources .
Attach AWS-managed policies
The following table lists the permissions to add as attached policies. Click the item in the Permissions column of the table to view the required permissions.
Permissions | Managed by | Description |
|---|---|---|
AWS | Provides read-only access to Amazon EC2 Container Registry repositories. | |
AWS | Provides the Amazon VPC CNI Plugin (amazon-vpc-cni-k8s) the permissions it requires to modify the IP address configuration on your EKS worker nodes. | |
AWS | Allows Amazon EKS worker nodes to connect to Amazon EKS Clusters. | |
AWS | Provides Kubernetes the permissions it requires to manage resources on your behalf. | |
AWS | Allows VPC Resource Controller to manage ENI and IPs for worker nodes. |
After you choose Attach policies, in the Other permissions policies section on the page that opens, fill in the name of each AWS-managed policy listed above in the search box and select the radio box in front of it. Once you have selected all the required policies, click Add permissions.
You will find that these policies are listed in the Permissions policies list.
Create inline policies
The following table lists the policies that need to be added as customer inline policies. Click the item in the Permissions column of the table to view the required permissions.
Permissions | Managed by | Description |
|---|---|---|
Kubernetes SIGs | AWS Load Balancer Controller is a controller to help manage Elastic Load Balancers for a Kubernetes cluster. For details on the AWS Load Balancer Controller repository, refer to the README file. | |
Kubernetes SIGs | The Amazon Elastic Block Store Container Storage Interface (CSI) Driver provides a CSI interface used by Container Orchestrators to manage the lifecycle of Amazon EBS volumes. For details on the Amazon EBS CSI driver, refer to the README file. | |
Kubernetes SIGs | The Cluster AutoScaler is a component that automatically adjusts the size of a Kubernetes Cluster so that all pods have a place to run and there are no unneeded nodes. For details on the Cluster AutoScaler on AWS, refer to the README file. |
After you choose Create inline policy, on the Specify permissions page, click JSON in the Policy editor section to open the policy editor. Then copy one of the above permissions and paste it into the policy editor.
Click Next, and set Policy name in Policy details.
As shown in the following figure, when naming the policy, use the prefix zilliz-byoc.
Once you have added all the listed inline policies, click Create policy. You will find that these policies are listed in the Permissions policies list.
