Skip to main content
  1. Prerequisites: Have your AWS credentials ready, including access key and secret access key, with permissions to access the EKS role.
  2. Configuring Playbooks: In the Playbooks dashboard, navigate to Integrations > AWS EKS. Enter your AWS access key ID, secret access key, region, EKS role ARN, and External ID (you generate this in Step 2 below and add it when creating the role in the AWS console).
  3. Testing the Integration: Test the integration.
Note: For security reasons, it is recommended to create a new user with access attached to these permissions.

Steps to create a new user:

Step 1: Create a policy (AmazonEKSViewNodesAndWorkloadsPolicy) with this json:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eks:DescribeNodegroup",
                "eks:ListNodegroups",
                "eks:DescribeCluster",
                "eks:ListClusters",
                "eks:AccessKubernetesApi",
                "ssm:GetParameter",
                "eks:ListUpdates",
                "eks:ListFargateProfiles"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "eks.amazonaws.com"
                }
            }
        }
    ]
}

Step 2: Generate External ID and create the role (eks-reader)

  1. In DrDroid, go to Integrations → AWS EKS. In the External ID field click Generate, then copy the value (you will use it in the AWS console and again when saving the connector).
  2. In the AWS console, go to IAM → Roles → Create role. Attach the policy from Step 1 (AmazonEKSViewNodesAndWorkloadsPolicy).
  3. For Trust policy, choose Custom trust policy and use the following (replace <YOUR_ACCOUNT_ID> with your AWS account ID and <EXTERNAL_ID_FROM_DRDROID> with the value you generated in step 1):
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<YOUR_ACCOUNT_ID>:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "<EXTERNAL_ID_FROM_DRDROID>"
                }
            }
        }
    ]
}
  1. Name the role (e.g. eks-reader) and create it. You will enter this role’s ARN and the same External ID in DrDroid when configuring the connector.

Step 3: Create a policy (AmazonEKSAssumeEKSReaderPolicy) in your IAM that allows assuming this role with the following json:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": "arn:aws:iam::<aws_account_id>:role/eks-reader"
        }
    ]
}

Step 4: Create a new user in your IAM with both policies attached

Attach AmazonEKSAssumeEKSReaderPolicy and AmazonEKSViewNodesAndWorkloadsPolicy to the user. You don’t need to add any group to the user.

Step 5: Create an access key

Once the user is created, go to Security credentials and create an access key.

Step 6: Select “Third-party service” while creating the key

Step 7: Add credentials and External ID in DrDroid

Copy the access key and secret key into Integrations → AWS EKS on the Integrations page. Enter the Assumed Role ARN (the eks-reader role ARN), AWS Region, and the same External ID you generated in Step 2. Test the integration, then save.

Step 8: Give the eks-reader role permission to query the cluster We’ll do that by creating a config map, a cluster role and a new role binding.

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - rolearn: <eks-reader-role-arn>
      username: eks-reader
      groups:
        - eks-read-only-group
Run the following commands (using credentials of a user who has cluster admin privileges).
  • kubectl apply -f auth.yaml -n kube-system
  • kubectl apply -f role.yaml -n kube-system
Now, you should be able to query your cluster resources from the Playbook tasks within DrDroid.