Posted On: Apr 16, 2020
HAQM Elastic Kubernetes Service (EKS) now supports using AWS Identity and Access Management (IAM) service-linked roles to easily delegate cluster management permissions to EKS.
The EKS service-linked role is predefined by HAQM EKS and includes the permissions that EKS requires to create and manage clusters. Examples include creating the HAQM Elastic Compute Cloud (HAQM EC2) cross-account Elastic Network Interfaces (ENIs) that facilitate communication to your worker nodes. A service-linked role makes setting up HAQM EKS easier because you don’t have to manually add the necessary permissions.
Unlike a normal IAM role, you cannot delete the service-linked role if it is still in use by an HAQM EKS cluster. This protects from any service downtime or upgrade issues that could result from you inadvertently revoking HAQM EKS's required permissions to manage clusters on your behalf. Actions performed by HAQM EKS against its service-linked role will be logged in AWS CloudTrail.
As of today, the HAQM EKS service-linked role will be used for all new clusters created in AWS regions where HAQM EKS is available. You don't need to manually create a service-linked role. When you create a cluster in the AWS Management Console, the AWS CLI, or the AWS API, HAQM EKS creates the service-linked role for you. To learn more about HAQM EKS and its service linked role, please visit the HAQM EKS documentation.