Amazon EKS
- Prerequisites: Have your AWS credentials ready, including access key and secret access key, with permissions to access the EKS_READER_ROLE.
- Configuring Playbooks: In the Playbooks dashboard, navigate to Integrations > AWS EKS. Enter your AWS access key ID, secret access key, specify the region of your EKS account and the EKS_READER_ROLE.
- Testing the Integration: Test the integration.
Note: For security reasons, it is recommended to create a new user with access attached to these permissions.
Steps to create a new user:
Step 1: Create a policy (AmazonEKSViewNodesAndWorkloadsPolicy) with this json:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:DescribeNodegroup",
"eks:ListNodegroups",
"eks:DescribeCluster",
"eks:ListClusters",
"eks:AccessKubernetesApi",
"ssm:GetParameter",
"eks:ListUpdates",
"eks:ListFargateProfiles"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "eks.amazonaws.com"
}
}
}
]
}
Step 2: Create a role (eks-reader) with the above policy attached
Step 3: Create a another policy (AmazonEKSAssumeEKSReaderPolicy) in your IAM that allows assuming this role with the following json:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::<aws_account_id>:role/eks-reader"
}
]
}
Step 4: Create a new user in your IAM with the both the policies created above attached- AmazonEKSAssumeEKSReaderPolicy and AmazonEKSViewNodesAndWorkloadsPolicy.
You don't need to add any group to the user.
Step 5: Once the user is created, create an access key by going to "Security Credentials".

Step 4: Select "Third-party service" while creating the key.

Step 5: Copy paste the access key and secret key in Playbooks Integrations page .
Step 6: Now we will give eks-reader role the permission to query the cluster. We'll do that by creating a config map, a cluster role and a new role binding.
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- rolearn: <eks-reader-role-arn>
username: eks-reader
groups:
- eks-read-only-group
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: eks-read-only
rules:
- apiGroups: [""]
resources: ["pods", "services", "namespaces"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: eks-readonly-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: eks-read-only
subjects:
- kind: Group
name: eks-read-only-group
apiGroup: rbac.authorization.k8s.io
Run the following commands (using credentials of a user who has cluster admin privileges).
- kubectl apply -f auth.yaml -n kube-system
- kubectl apply -f role.yaml -n kube-system
Now, you should be able to query your cluster resources from the Playbook tasks within Doctor Droid.
Updated 15 days ago