Associating Cluster Creation Role with AWS EKS
TypeScriptIn AWS, an EKS (Elastic Kubernetes Service) cluster requires an IAM role to create and manage resources on your behalf. This IAM role is known as the cluster creation role. When setting up an EKS cluster using Pulumi, you need to ensure that you have such a role in place, and it must be associated with the EKS cluster.
To set up an EKS cluster and associate a cluster creation role with it using Pulumi, you will define a role with the necessary EKS permissions and then specify this role when creating the EKS cluster. Here is a Pulumi program written in TypeScript that demonstrates how to perform these tasks:
- IAM Role Creation: The first step is to define an IAM role (
EKSRole
) with policies that grant the required permissions for EKS cluster creation and management. - EKS Cluster Creation: After creating the IAM role, we create an EKS cluster (
eks.Cluster
) and pass the IAM role ARN to the cluster creation role provider.
Below is the Pulumi TypeScript program that accomplishes this:
import * as aws from '@pulumi/aws'; import * as eks from '@pulumi/eks'; // Step 1: Create an IAM role for the EKS cluster const eksRole = new aws.iam.Role('eksRole', { assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({ Principal: { Service: "eks.amazonaws.com", }, }), }); // Attaching the Amazon EKS cluster policy to the role const eksPolicyAttachment = new aws.iam.RolePolicyAttachment('eksPolicyAttachment', { role: eksRole.name, policyArn: 'arn:aws:iam::aws:policy/AmazonEKSClusterPolicy', // Assumes you are using a managed policy ARN }); // Step 2: Create an EKS cluster using the EKS role const cluster = new eks.Cluster('myEksCluster', { roleArn: eksRole.arn, vpcId: 'vpc-12345', // Replace with the VPC ID where you want your cluster to be. publicSubnetIds: ['subnet-12345', 'subnet-67890'], // Replace with your VPC's public subnet IDs. }); // Exporting the kubeconfig export const kubeconfig = cluster.kubeconfig; // Exporting the EKS Cluster name export const eksClusterName = cluster.eksCluster.name;
In this program:
- We import the necessary Pulumi AWS and EKS packages.
- We create an IAM Role
eksRole
with a trust relationship policy that allows it to be assumed by the EKS service. - We attach the
AmazonEKSClusterPolicy
policy to the role to grant it the necessary permissions for EKS operations. - We create the
eks.Cluster
by specifying the created IAM role's ARN, VPC ID, and subnet IDs. Ensure that the VPC and subnet IDs are appropriately set to match your AWS environment. - We export the
kubeconfig
which will be used to manage the Kubernetes cluster, as well as the name of the EKS cluster.
Remember to replace 'vpc-12345', 'subnet-12345', and 'subnet-67890' with your actual VPC and subnet IDs where you wish to deploy your EKS cluster.
To run this Pulumi program, you will need to have Pulumi installed, along with the AWS CLI configured with the necessary access credentials. You would save the above code in a file named
index.ts
, and then you can deploy it using the Pulumi CLI with the following commands:pulumi up
This command will prompt you to review the changes before applying them. Once you confirm, Pulumi will provision the resources as specified in the code.
- IAM Role Creation: The first step is to define an IAM role (