In this article we will setup the AWS CLI to interact with AWS EKS (Elastic Kubernetes Service) and AWS ECR (Elastic Container Registry)).
–>
UI Console -> Find Services -> IAM (Manage User Access and Encryption Keys)
Users -> Add User -> aws-cli -> Access type* -> Select Programmatic Access -> Next: Permissions -> Set Permissions: Add user to group -> Create group -> Group name: container-admin -> Create group-> Next: Tags -> Key: Name ; Value: Container Admin -> Next: Review -> Create user -> Download .csv or take note of the Access key ID and Secret access key (click Show to uncover) -> Close
Policies -> Create policy -> JSON (tab) -> Copy and paste the below in to the provided box (replace <AWS ACCOUNT ID> in the Resource arn with your Account’s ID (shown under the top right drop-down (of your name) within the My Account page next to the Account Id: under Account Settings)):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetRole",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:ListInstanceProfiles",
"iam:AddRoleToInstanceProfile",
"iam:ListInstanceProfilesForRole",
"iam:PassRole",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:GetRolePolicy",
"iam:DeleteServiceLinkedRole",
"iam:CreateServiceLinkedRole"
],
"Resource": [
"arn:aws:iam::<AWS ACCOUNT ID>:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling",
"arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/eksctl-*",
"arn:aws:iam::<AWS ACCOUNT ID>:role/eksctl-*"
]
},
{
"Effect": "Allow",
"Action": "cloudformation:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"eks:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeScalingActivities",
"autoscaling:CreateLaunchConfiguration",
"autoscaling:DeleteLaunchConfiguration",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:CreateAutoScalingGroup"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:DeleteInternetGateway",
"Resource": "arn:aws:ec2:*:*:internet-gateway/*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteSubnet",
"ec2:DeleteTags",
"ec2:CreateNatGateway",
"ec2:CreateVpc",
"ec2:AttachInternetGateway",
"ec2:DescribeVpcAttribute",
"ec2:DeleteRouteTable",
"ec2:AssociateRouteTable",
"ec2:DescribeInternetGateways",
"ec2:CreateRoute",
"ec2:CreateInternetGateway",
"ec2:RevokeSecurityGroupEgress",
"ec2:CreateSecurityGroup",
"ec2:ModifyVpcAttribute",
"ec2:DeleteInternetGateway",
"ec2:DescribeRouteTables",
"ec2:ReleaseAddress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DescribeTags",
"ec2:CreateTags",
"ec2:DeleteRoute",
"ec2:CreateRouteTable",
"ec2:DetachInternetGateway",
"ec2:DescribeNatGateways",
"ec2:DisassociateRouteTable",
"ec2:AllocateAddress",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup",
"ec2:DeleteNatGateway",
"ec2:DeleteVpc",
"ec2:CreateSubnet",
"ec2:DescribeSubnets",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:describeAddresses",
"ec2:DescribeVpcs",
"ec2:CreateLaunchTemplate",
"ec2:DescribeLaunchTemplates",
"ec2:RunInstances",
"ec2:DeleteLaunchTemplate",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeImageAttribute",
"ec2:DescribeKeyPairs",
"ec2:ImportKeyPair"
],
"Resource": "*"
}
]
}
Review policy -> Name*: AllowEKS -> Description: Allows access to EKS and related. -> Create policy
Create policy -> JSON (tab) -> Copy and paste the below in to the provided box:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:DescribeRepositories",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:CreateRepository",
"ecr:DeleteRepository",
"ecr:BatchDeleteImage",
"ecr:SetRepositoryPolicy",
"ecr:DeleteRepositoryPolicy"
]
}
]
}
Review policy -> Name*: AllowECR -> Description: Allows access to ECR. -> Create policy
Groups -> Click on container-admin -> Permissions (tab)
Attach Policy -> Search for AllowEKS in Filter: -> Select -> Attach Policy
Attach Policy -> Search for AllowECR in Filter: -> Select -> Attach Policy
$ mkdir ~/.aws
(Replace <AWS ACCESS KEY>/<AWS SECRET KEY> with the values given after the username creation and <AWS DEFAULT REGION> with your default region that you would like to execute in (i.e. us-east-1, us-west-2, etc.), where applicable):
$ cat << EOF > ~/.aws/credentials > [default] > aws_access_key_id=<AWS ACCESS KEY> > aws_secret_access_key=<AWS SECRET KEY> > EOF $ chmod o-rw,g-w ~/.aws/credentials
$ cat << EOF > ~/.aws/config > [default] > region=<AWS DEFAULT REGION> > EOF $ chmod og-w ~/.aws/config
Ensure you get appropriate output (the value will be [] for “clusters”:):
$ aws eks list-clusters
Ensure you get appropriate output (the value will be [] for “repositories”:):
$ aws ecr describe-repositories
<–
References:
« AWS/Azure – Development Environment Setup for Containerization Azure – Configure the CLI in the Development Environment for Containerization »