> ## Documentation Index
> Fetch the complete documentation index at: https://docs.drdroid.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Amazon EKS

1. **Prerequisites**: Have your AWS credentials ready, including [access key and secret access key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html), with permissions to access the EKS role.
2. **Configuring Playbooks**: In the Playbooks dashboard, navigate to Integrations > AWS EKS. Enter your AWS access key ID, secret access key, region, EKS role ARN, and **External ID** (you generate this in Step 2 below and add it when creating the role in the AWS console).
3. **Testing the Integration**: Test the integration.

Note: For security reasons, it is recommended to create a new user with access attached to these permissions.

### Steps to create a new user:

#### Step 1: Create a policy (AmazonEKSViewNodesAndWorkloadsPolicy) with this json:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eks:DescribeNodegroup",
                "eks:ListNodegroups",
                "eks:DescribeCluster",
                "eks:ListClusters",
                "eks:AccessKubernetesApi",
                "ssm:GetParameter",
                "eks:ListUpdates",
                "eks:ListFargateProfiles"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "eks.amazonaws.com"
                }
            }
        }
    ]
}
```

#### Step 2: Generate External ID and create the role (eks-reader)

1. In DrDroid, go to **Integrations → AWS EKS**. In the **External ID** field click **Generate**, then copy the value (you will use it in the AWS console and again when saving the connector).
2. In the AWS console, go to **IAM → Roles → Create role**. Attach the policy from Step 1 (AmazonEKSViewNodesAndWorkloadsPolicy).
3. For **Trust policy**, choose **Custom trust policy** and use the following (replace `<YOUR_ACCOUNT_ID>` with your AWS account ID and `<EXTERNAL_ID_FROM_DRDROID>` with the value you generated in step 1):

```json theme={null}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<YOUR_ACCOUNT_ID>:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "<EXTERNAL_ID_FROM_DRDROID>"
                }
            }
        }
    ]
}
```

4. Name the role (e.g. `eks-reader`) and create it. You will enter this role’s ARN and the same External ID in DrDroid when configuring the connector.

#### Step 3: Create a policy (AmazonEKSAssumeEKSReaderPolicy) in your IAM that allows assuming this role with the following json:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": "arn:aws:iam::<aws_account_id>:role/eks-reader"
        }
    ]
}
```

#### Step 4: Create a new user in your IAM with both policies attached

Attach **AmazonEKSAssumeEKSReaderPolicy** and **AmazonEKSViewNodesAndWorkloadsPolicy** to the user.

You don't need to add any group to the user.

#### Step 5: Create an access key

Once the user is created, go to **Security credentials** and create an access key.

<img src="https://mintcdn.com/drdroid-88/2Y8WytCvgRMedNTV/images/docs/505ae58-Screenshot_2023-12-22_at_12.51.39_PM.png?fit=max&auto=format&n=2Y8WytCvgRMedNTV&q=85&s=f1ed5d49ffc9ca6675a083ecb660f2c6" alt="" width="1528" height="695" data-path="images/docs/505ae58-Screenshot_2023-12-22_at_12.51.39_PM.png" />

#### Step 6: Select "Third-party service" while creating the key

<img src="https://mintcdn.com/drdroid-88/2Y8WytCvgRMedNTV/images/docs/79220d0-image.png?fit=max&auto=format&n=2Y8WytCvgRMedNTV&q=85&s=cfdfdc8c06091519f479a24ba6cb6468" alt="" width="1210" height="644" data-path="images/docs/79220d0-image.png" />

#### Step 7: Add credentials and External ID in DrDroid

Copy the access key and secret key into **Integrations → AWS EKS** on the [Integrations page](https://aiops.drdroid.io/integrations/). Enter the **Assumed Role ARN** (the eks-reader role ARN), **AWS Region**, and the same **External ID** you generated in Step 2. Test the integration, then save.

#### Step 8: Give the eks-reader role permission to query the cluster We'll do that by creating a config map, a cluster role and a new role binding.

<CodeGroup>
  ```bash bash theme={null}
  apiVersion: v1
  kind: ConfigMap
  metadata:
    name: aws-auth
    namespace: kube-system
  data:
    mapRoles: |
      - rolearn: <eks-reader-role-arn>
        username: eks-reader
        groups:
          - eks-read-only-group
  ```

  ```bash bash theme={null}
  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata:
    name: eks-read-only
  rules:
    - apiGroups: [""]
      resources: ["pods", "services", "namespaces"]
      verbs: ["get", "list", "watch"]

  ---
  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRoleBinding
  metadata:
    name: eks-readonly-binding
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: eks-read-only
  subjects:
    - kind: Group
      name: eks-read-only-group
      apiGroup: rbac.authorization.k8s.io
  ```
</CodeGroup>

Run the following commands (using credentials of a user who has cluster admin privileges).

* kubectl apply -f auth.yaml -n kube-system
* kubectl apply -f role.yaml -n kube-system

Now, you should be able to query your cluster resources from the Playbook tasks within DrDroid.