Create IAM Role for ExternalDNS

In this section you will create an IAM role for the service account that ExternalDNS will run with. ExternalDNS will need this in order to have permissions to manage DNS records on your Amazon Route 53 hosted zone.


If you have already an IAM role for ExternalDNS, you may proceed to the Verify section.


  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Specify the IAM policy name for ExternalDNS:

    root@rok-tools:~/ops/deployments# export IAM_POLICY_NAME=AllowExternalDNSUpdates
  3. Create the necessary policy to allow ExternalDNS to update Route53 Resource Record Sets and Hosted Zones:

    root@rok-tools:~/ops/deployments# aws iam create-policy \
    >     --policy-name ${IAM_POLICY_NAME?} \
    >     --policy-document file://rok/external-dns/iam-policy-edns.json

    Alternatively, save the JSON policy document provided below or download iam-policy-edns.json and use it locally.

  4. Specify the IAM role name and description for ExternalDNS:

    root@rok-tools:~/ops/deployments# export IAM_ROLE_NAME=eks-external-dns-${CLUSTERNAME?}
    root@rok-tools:~/ops/deployments# export IAM_ROLE_DESCRIPTION=ExternalDNS
  5. Specify the service account name and namespace that ExternalDNS will run with:

    root@rok-tools:~/ops/deployments# export SERVICE_ACCOUNT_NAMESPACE=default
    root@rok-tools:~/ops/deployments# export SERVICE_ACCOUNT_NAME=external-dns
  6. Obtain your AWS account ID:

    root@rok-tools:~/ops/deployments# export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
  7. Obtain the OIDC provider ID of your EKS cluster:

    root@rok-tools:~/ops/deployments# export OIDC_PROVIDER=$(aws eks describe-cluster --name ${CLUSTERNAME?} --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")
  8. Render the trust policy document template with the variables you have specified:

    root@rok-tools:~/ops/deployments# j2 rok/eks/iamsa-trust.json.j2 -o iam-${IAM_ROLE_NAME?}-trust.json

    Alternatively, save the JSON policy document provided below or download iamsa-trust.json.j2 and use it locally.

  9. Commit the formatted JSON file to your local GitOps repository:

    root@rok-tools:~/ops/deployments# git add iam-${IAM_ROLE_NAME?}-trust.json
    root@rok-tools:~/ops/deployments# git commit -m "Add JSON trust policy document for ${IAM_ROLE_NAME?}"
  10. Create the IAM role:

    root@rok-tools:~/ops/deployments# aws iam create-role \
    >     --role-name ${IAM_ROLE_NAME?} \
    >     --assume-role-policy-document file://iam-${IAM_ROLE_NAME?}-trust.json \
    >     --description "${IAM_ROLE_DESCRIPTION?}"
  11. Attach the desired policy to the role you created:

    root@rok-tools:~/ops/deployments# aws iam attach-role-policy \
    >     --role-name ${IAM_ROLE_NAME?} \
    >     --policy-arn=arn:aws:iam::${AWS_ACCOUNT_ID?}:policy/${IAM_POLICY_NAME?}


  1. Verify that the IAM role exists and obtain its ARN:

    root@rok-tools:~/ops/deployments# aws iam get-role \
    >     --role-name ${IAM_ROLE_NAME?} \
    >     --query Role.Arn \
    >     --output text
  2. Verify that the role has the desired policies attached:

    root@rok-tools:~/ops/deployments# aws iam list-attached-role-policies --role-name ${IAM_ROLE_NAME?}
        "AttachedPolicies": [
                "PolicyName": "AllowExternalDNSUpdates",
                "PolicyArn": "arn:aws:iam::123456789012:policy/AllowExternalDNSUpdates"


You have successfully created the IAM role for ExternalDNS.

What’s Next

The next step is to deploy ExternalDNS.