Create IAM Role for AWS Load Balancer Controller

In this section you will create an IAM role for the service account that AWS Load Balancer Controller will run with so that it has permissions to manage AWS resources for your Application Load Balancer.

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
    
  2. Specify the IAM policy name for AWS Load Balancer Controller:

    root@rok-tools:~/ops/deployments# export IAM_POLICY_NAME=AWSLoadBalancerControllerIAMPolicy
    
  3. Create the necessary policy to allow AWS Load Balancer Controller to manage AWS resources on your behalf:

    root@rok-tools:~/ops/deployments# aws iam create-policy \
    >     --policy-name ${IAM_POLICY_NAME?} \
    >     --policy-document file://rok/aws-load-balancer-controller/iam-policy-albv2.json
    

    Alternatively, save the JSON policy document provided below or download iam-policy-albv2.json and use it locally.

  4. Specify the IAM role name and description for AWS Load Balancer Controller:

    root@rok-tools:~/ops/deployments# export IAM_ROLE_NAME=eks-aws-load-balancer-controller-${CLUSTERNAME?}
    root@rok-tools:~/ops/deployments# export IAM_ROLE_DESCRIPTION="AWS Load Balancer Controller"
    
  5. Specify the service account name and namespace that AWS Load Balancer Controller will run with:

    root@rok-tools:~/ops/deployments# export SERVICE_ACCOUNT_NAMESPACE=kube-system
    root@rok-tools:~/ops/deployments# export SERVICE_ACCOUNT_NAME=aws-load-balancer-controller
    
  6. Obtain your AWS account ID:

    root@rok-tools:~/ops/deployments# export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
    
  7. Obtain the OIDC provider ID of your EKS cluster:

    root@rok-tools:~/ops/deployments# export OIDC_PROVIDER=$(aws eks describe-cluster --name ${CLUSTERNAME?} --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")
    
  8. Render the trust policy document template with the variables you have specified:

    root@rok-tools:~/ops/deployments# j2 rok/eks/iamsa-trust.json.j2 -o iam-${IAM_ROLE_NAME?}-trust.json
    

    Alternatively, save the JSON policy document provided below or download iamsa-trust.json.j2 and use it locally.

  9. Commit the formatted JSON file to the local GitOps repository:

    root@rok-tools:~/ops/deployments# git add iam-${IAM_ROLE_NAME?}-trust.json
    root@rok-tools:~/ops/deployments# git commit -m "Add JSON trust policy document for ${IAM_ROLE_NAME?}"
    
  10. Create the IAM role:

    root@rok-tools:~/ops/deployments# aws iam create-role \
    >     --role-name ${IAM_ROLE_NAME?} \
    >     --assume-role-policy-document file://iam-${IAM_ROLE_NAME?}-trust.json \
    >     --description "${IAM_ROLE_DESCRIPTION?}"
    
  11. Attach the desired policy to the created role:

    root@rok-tools:~/ops/deployments# aws iam attach-role-policy \
    >     --role-name ${IAM_ROLE_NAME?} \
    >     --policy-arn=arn:aws:iam::${AWS_ACCOUNT_ID?}:policy/${IAM_POLICY_NAME?}
    
Upgrade from ALB Ingress Controller to AWS Load Balancer Controller

Note

In case you are upgrading from from ALB Ingress Controller to AWS Load Balancer Controller, you have to assign some extra permissions to the IAM role so that the new controller will be able to manage existing AWS resources. To do so, follow the extra steps below.

  1. Create the extra policy to allow the AWS Load Balancer Controller pod to manage existing AWS resources created previously by ALB Ingress Controller:

    root@rok-tools:~/ops/deployments# aws iam create-policy \
    >     --policy-name AWSLoadBalancerControllerExtraIAMPolicy \
    >     --policy-document file://rok/aws-load-balancer-controller/iam-policy-albv2-extra.json
    

    Alternatively, save the JSON policy document provided below or download iam-policy-albv2-extra.json and use it locally.

  2. Attach the policy to the previously created IAM role:

    root@rok-tools:~/ops/deployments# aws iam attach-role-policy \
    >     --role-name ${IAM_ROLE_NAME?} \
    >     --policy-arn=arn:aws:iam::${AWS_ACCOUNT_ID?}:policy/AWSLoadBalancerControllerExtraIAMPolicy
    

Verify

  1. Verify that the IAM role exists and obtain its ARN:

    root@rok-tools:~/ops/deployments# aws iam get-role \
    >     --role-name ${IAM_ROLE_NAME?} \
    >     --query Role.Arn \
    >     --output text
    arn:aws:iam::123456789012:role/eks-aws-load-balancer-controller-arrikto-cluster
    
  2. Verity that the role has the desired policies attached:

    root@rok-tools:~/ops/deployments# aws iam list-attached-role-policies --role-name ${IAM_ROLE_NAME?}
    {
        "AttachedPolicies": [
            {
                "PolicyName": "AWSLoadBalancerControllerIAMPolicy",
                "PolicyArn": "arn:aws:iam::409688176173:policy/AWSLoadBalancerControllerIAMPolicy"
            }
        ]
    }
    

Summary

You have successfully created the IAM role for AWS Load Balancer Controller.

What’s Next

The next step is to deploy AWS Load Balancer Controller.