How do I add an IAM role to the EBS CSI Driver as an Addon?
In this example, we’ll show you how to add an IAM role to the EBS CSI Driver in AWS EKS. This involves creating an IAM role, attaching the necessary policies, and associating this role with the EKS add-on for the EBS CSI Driver.
The EBS CSI Driver allows you to use Amazon EBS volumes as persistent storage in your Kubernetes clusters. Configuring an IAM role lets the driver have the proper permissions to interact with AWS services.
Here’s the program to set this up:
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const ebsCsiDriverRole = new aws.iam.Role("ebs_csi_driver_role", {
name: "AmazonEKS_EBS_CSI_DriverRole",
assumeRolePolicy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Principal: {
Service: "eks.amazonaws.com",
},
Action: "sts:AssumeRole",
}],
}),
});
const ebsCsiDriverPolicy = new aws.iam.Policy("ebs_csi_driver_policy", {
name: "AmazonEKS_EBS_CSI_DriverPolicy",
description: "Policy for EBS CSI Driver to interact with EBS",
policy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Action: [
"ec2:CreateSnapshot",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:DeleteVolume",
"ec2:CreateTags",
"ec2:DescribeVolumes",
"ec2:DescribeTags",
],
Resource: "*",
}],
}),
});
const ebsCsiDriverAttach = new aws.iam.RolePolicyAttachment("ebs_csi_driver_attach", {
policyArn: ebsCsiDriverPolicy.arn,
role: ebsCsiDriverRole.name,
});
const ebsCsiDriver = new aws.eks.Addon("ebs_csi_driver", {
clusterName: "your-eks-cluster",
addonName: "aws-ebs-csi-driver",
serviceAccountRoleArn: ebsCsiDriverRole.arn,
});
export const roleArn = ebsCsiDriverRole.arn;
export const policyArn = ebsCsiDriverPolicy.arn;
In this program:
- We define the AWS provider and configure the region.
- An IAM role
ebs_csi_driver_role
is created with a trust relationship that allows EKS to assume the role. - An IAM policy
ebs_csi_driver_policy
with necessary permissions for the EBS CSI Driver to operate is created. - The policy is attached to the IAM role.
- We create and configure the EKS Addon for the EBS CSI Driver, associating it with the IAM role.
The role_arn
and policy_arn
outputs provide the ARNs of the created IAM role and policy.
In summary, we’ve set up an IAM role for the EBS CSI Driver in an EKS cluster, ensuring that the necessary permissions are in place.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.