In this article we will setup the AWS CLI to interact with AWS EKS (Elastic Kubernetes Service) and AWS ECR (Elastic Container Registry)).
–>
UI Console -> Find Services -> IAM (Manage User Access and Encryption Keys)
Users -> Add User -> aws-cli -> Access type* -> Select Programmatic Access -> Next: Permissions -> Set Permissions: Add user to group -> Create group -> Group name: container-admin -> Create group-> Next: Tags -> Key: Name ; Value: Container Admin -> Next: Review -> Create user -> Download .csv or take note of the Access key ID and Secret access key (click Show to uncover) -> Close
Policies -> Create policy -> JSON (tab) -> Copy and paste the below in to the provided box (replace <AWS ACCOUNT ID> in the Resource arn with your Account’s ID (shown under the top right drop-down (of your name) within the My Account page next to the Account Id: under Account Settings)):
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:GetRole", "iam:GetInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:CreateRole", "iam:DeleteRole", "iam:AttachRolePolicy", "iam:PutRolePolicy", "iam:ListInstanceProfiles", "iam:AddRoleToInstanceProfile", "iam:ListInstanceProfilesForRole", "iam:PassRole", "iam:DetachRolePolicy", "iam:DeleteRolePolicy", "iam:GetRolePolicy", "iam:DeleteServiceLinkedRole", "iam:CreateServiceLinkedRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/eksctl-*", "arn:aws:iam::<AWS ACCOUNT ID>:role/eksctl-*" ] }, { "Effect": "Allow", "Action": "cloudformation:*", "Resource": "*" }, { "Effect": "Allow", "Action": [ "eks:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeScalingActivities", "autoscaling:CreateLaunchConfiguration", "autoscaling:DeleteLaunchConfiguration", "autoscaling:UpdateAutoScalingGroup", "autoscaling:DeleteAutoScalingGroup", "autoscaling:CreateAutoScalingGroup" ], "Resource": "*" }, { "Effect": "Allow", "Action": "ec2:DeleteInternetGateway", "Resource": "arn:aws:ec2:*:*:internet-gateway/*" }, { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:DeleteSubnet", "ec2:DeleteTags", "ec2:CreateNatGateway", "ec2:CreateVpc", "ec2:AttachInternetGateway", "ec2:DescribeVpcAttribute", "ec2:DeleteRouteTable", "ec2:AssociateRouteTable", "ec2:DescribeInternetGateways", "ec2:CreateRoute", "ec2:CreateInternetGateway", "ec2:RevokeSecurityGroupEgress", "ec2:CreateSecurityGroup", "ec2:ModifyVpcAttribute", "ec2:DeleteInternetGateway", "ec2:DescribeRouteTables", "ec2:ReleaseAddress", "ec2:AuthorizeSecurityGroupEgress", "ec2:DescribeTags", "ec2:CreateTags", "ec2:DeleteRoute", "ec2:CreateRouteTable", "ec2:DetachInternetGateway", "ec2:DescribeNatGateways", "ec2:DisassociateRouteTable", "ec2:AllocateAddress", "ec2:DescribeSecurityGroups", "ec2:RevokeSecurityGroupIngress", "ec2:DeleteSecurityGroup", "ec2:DeleteNatGateway", "ec2:DeleteVpc", "ec2:CreateSubnet", "ec2:DescribeSubnets", "ec2:DescribeAvailabilityZones", "ec2:DescribeImages", "ec2:describeAddresses", "ec2:DescribeVpcs", "ec2:CreateLaunchTemplate", "ec2:DescribeLaunchTemplates", "ec2:RunInstances", "ec2:DeleteLaunchTemplate", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeImageAttribute", "ec2:DescribeKeyPairs", "ec2:ImportKeyPair" ], "Resource": "*" } ] }
Review policy -> Name*: AllowEKS -> Description: Allows access to EKS and related. -> Create policy
Create policy -> JSON (tab) -> Copy and paste the below in to the provided box:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Resource": "*", "Action": [ "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability", "ecr:PutImage", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload", "ecr:DescribeRepositories", "ecr:GetRepositoryPolicy", "ecr:ListImages", "ecr:DescribeImages", "ecr:CreateRepository", "ecr:DeleteRepository", "ecr:BatchDeleteImage", "ecr:SetRepositoryPolicy", "ecr:DeleteRepositoryPolicy" ] } ] }
Review policy -> Name*: AllowECR -> Description: Allows access to ECR. -> Create policy
Groups -> Click on container-admin -> Permissions (tab)
Attach Policy -> Search for AllowEKS in Filter: -> Select -> Attach Policy
Attach Policy -> Search for AllowECR in Filter: -> Select -> Attach Policy
$ mkdir ~/.aws
(Replace <AWS ACCESS KEY>/<AWS SECRET KEY> with the values given after the username creation and <AWS DEFAULT REGION> with your default region that you would like to execute in (i.e. us-east-1, us-west-2, etc.), where applicable):
$ cat << EOF > ~/.aws/credentials > [default] > aws_access_key_id=<AWS ACCESS KEY> > aws_secret_access_key=<AWS SECRET KEY> > EOF $ chmod o-rw,g-w ~/.aws/credentials
$ cat << EOF > ~/.aws/config > [default] > region=<AWS DEFAULT REGION> > EOF $ chmod og-w ~/.aws/config
Ensure you get appropriate output (the value will be [] for “clusters”:):
$ aws eks list-clusters
Ensure you get appropriate output (the value will be [] for “repositories”:):
$ aws ecr describe-repositories
<–
References: