Posted On: Apr 16, 2020
Amazon Elastic Kubernetes Service (EKS) now supports using AWS Identity and Access Management (IAM) service-linked roles to easily delegate cluster management permissions to EKS.
The EKS service-linked role is predefined by Amazon EKS and includes the permissions that EKS requires to create and manage clusters. Examples include creating the Amazon Elastic Compute Cloud (Amazon EC2) cross-account Elastic Network Interfaces (ENIs) that facilitate communication to your worker nodes. A service-linked role makes setting up Amazon EKS easier because you don’t have to manually add the necessary permissions.
Unlike a normal IAM role, you cannot delete the service-linked role if it is still in use by an Amazon EKS cluster. This protects from any service downtime or upgrade issues that could result from you inadvertently revoking Amazon EKS's required permissions to manage clusters on your behalf. Actions performed by Amazon EKS against its service-linked role will be logged in AWS CloudTrail.
As of today, the Amazon EKS service-linked role will be used for all new clusters created in AWS regions where Amazon EKS is available. You don't need to manually create a service-linked role. When you create a cluster in the AWS Management Console, the AWS CLI, or the AWS API, Amazon EKS creates the service-linked role for you. To learn more about Amazon EKS and its service linked role, please visit the Amazon EKS documentation.