**Help improve this page** To contribute to this user guide, choose the **Edit this page on GitHub** link that is located in the right pane of every page. # Amazon EKS cluster IAM role Cluster IAM role An Amazon EKS cluster IAM role is required for each cluster. Kubernetes clusters managed by Amazon EKS use this role to manage nodes and the [legacy Cloud Provider](https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/service/annotations/#legacy-cloud-provider) uses this role to create load balancers with Elastic Load Balancing for services. Before you can create Amazon EKS clusters, you must create an IAM role with either of the following IAM policies: + [AmazonEKSClusterPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEKSClusterPolicy.html) + A custom IAM policy. The minimal permissions that follow allows the Kubernetes cluster to manage nodes, but doesn’t allow the [legacy Cloud Provider](https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/service/annotations/#legacy-cloud-provider) to create load balancers with Elastic Load Balancing. Your custom IAM policy must have at least the following permissions: ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "ForAnyValue:StringLike": { "aws:TagKeys": "kubernetes.io/cluster/*" } } }, { "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeNetworkInterfaces", "ec2:DescribeVpcs", "ec2:DescribeDhcpOptions", "ec2:DescribeAvailabilityZones", "ec2:DescribeInstanceTopology", "kms:DescribeKey" ], "Resource": "*" } ] } ``` **Note** Prior to October 3, 2023, [AmazonEKSClusterPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEKSClusterPolicy.html) was required on the IAM role for each cluster. Prior to April 16, 2020, [AmazonEKSServicePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEKSServicePolicy.html) and [AmazonEKSClusterPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEKSClusterPolicy.html) was required and the suggested name for the role was `eksServiceRole`. With the `AWSServiceRoleForAmazonEKS` service-linked role, the [AmazonEKSServicePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEKSServicePolicy.html) policy is no longer required for clusters created on or after April 16, 2020. ## Check for an existing cluster role You can use the following procedure to check and see if your account already has the Amazon EKS cluster role. 1. Open the IAM console at https://console.aws.amazon.com/iam/. 1. In the left navigation pane, choose **Roles**. 1. Search the list of roles for `eksClusterRole`. If a role that includes `eksClusterRole` doesn’t exist, then see [Creating the Amazon EKS cluster role](#create-service-role) to create the role. If a role that includes `eksClusterRole` does exist, then select the role to view the attached policies. 1. Choose **Permissions**. 1. Ensure that the **AmazonEKSClusterPolicy** managed policy is attached to the role. If the policy is attached, your Amazon EKS cluster role is properly configured. 1. Choose **Trust relationships**, and then choose **Edit trust policy**. 1. Verify that the trust relationship contains the following policy. If the trust relationship matches the following policy, choose **Cancel**. If the trust relationship doesn’t match, copy the policy into the **Edit trust policy** window and choose **Update policy**. ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "eks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } ``` ## Creating the Amazon EKS cluster role You can use the AWS Management Console or the AWS CLI to create the cluster role. AWS Management Console 1. Open the IAM console at https://console.aws.amazon.com/iam/. 1. Choose **Roles**, then **Create role**. 1. Under **Trusted entity type**, select ** AWS service**. 1. From the **Use cases for other AWS services** dropdown list, choose **EKS**. 1. Choose **EKS - Cluster** for your use case, and then choose **Next**. 1. On the **Add permissions** tab, choose **Next**. 1. For **Role name**, enter a unique name for your role, such as `eksClusterRole`. 1. For **Description**, enter descriptive text such as `Amazon EKS - Cluster role`. 1. Choose **Create role**. AWS CLI 1. Copy the following contents to a file named *cluster-trust-policy.json*. ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "eks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } ``` 1. Create the role. You can replace *eksClusterRole* with any name that you choose. ``` aws iam create-role \ --role-name eksClusterRole \ --assume-role-policy-document file://"cluster-trust-policy.json" ``` 1. Attach the required IAM policy to the role. ``` aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy \ --role-name eksClusterRole ```