1. Answers
  2. How To Grant IAM Access To AWS Cluster?

How to Grant IAM Access to AWS Cluster?

Introduction

In this guide, we will explore how to grant IAM access to an AWS cluster using Pulumi with TypeScript. The solution involves creating an IAM role, attaching necessary policies, and associating this role with an Amazon EKS cluster. This setup ensures that the EKS cluster can securely access AWS resources using the IAM role.

Step-by-Step Explanation

To implement IAM access to your AWS cluster, follow these detailed steps:

  1. Create an IAM Role: Begin by creating an IAM role that EKS can assume. This role will have the necessary permissions to manage and access AWS resources.

  2. Attach Policies to the Role: Attach the AmazonEKSClusterPolicy to the IAM role. This policy provides the permissions needed for EKS to manage cluster resources.

  3. Create an EKS Cluster: With the IAM role in place, create an EKS cluster. Ensure that the cluster is configured to use the IAM role by specifying the role’s ARN.

  4. Export Outputs: Finally, export the EKS cluster’s name and ARN, along with the IAM role’s ARN, for easy reference and use in other parts of your infrastructure.

Key Points

  • Ensure that the IAM role’s trust policy allows EKS to assume the role.
  • Attach the appropriate policies to grant necessary permissions for cluster operations.
  • Verify that the subnet IDs are correctly specified for your VPC configuration.

Conclusion

By following these steps, you have successfully set up IAM access for your AWS EKS cluster using Pulumi in TypeScript. This configuration allows for secure and efficient management of resources within your EKS cluster, leveraging the power of AWS IAM for access control.

Full Code Example

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Create an IAM Role
const role = new aws.iam.Role("eksRole", {
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [
            {
                Action: "sts:AssumeRole",
                Principal: {
                    Service: "eks.amazonaws.com",
                },
                Effect: "Allow",
                Sid: ""
            }
        ]
    })
});

// Attach the AmazonEKSClusterPolicy to the role
const rolePolicyAttachment = new aws.iam.RolePolicyAttachment("eksRolePolicyAttachment", {
    role: role.name,
    policyArn: "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
});

// Create an EKS Cluster
const eksCluster = new aws.eks.Cluster("eksCluster", {
    roleArn: role.arn,
    vpcConfig: {
        subnetIds: ["subnet-0bb1c79de3EXAMPLE"], // Replace with your subnet IDs
    }
});

export const eksClusterName = eksCluster.name;
export const eksClusterArn = eksCluster.arn;
export const iamRoleArn = role.arn;

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up