...
| Code Block |
|---|
|
eksctl update iamserviceaccount \ (ivan@isim-dev2.us-west-1.eksctl.io/default)
--name aws-node \
--namespace kube-system \
--cluster poccluster \
--attach-policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy \
--attach-policy-arn "${new_policy_arn}" \
--approve |
Amazon EBS CSI Driver with Encryption
| Info |
|---|
OPTIONAL - This section is required only if you are using a custom KMS key for encrypting your Amazon EBS volumes. |
Run the following command to create a JSON file named csi_kms_iam.json with the IAM policy:
| Code Block |
|---|
cat > csi_kms_iam.json <<EOT
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": [
"custom-key-arn"
],
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": [
"custom-key-arn"
]
}
]
}
EOT |
Use the following command to create the IAM policy:
| Code Block |
|---|
aws iam create-policy \
--policy-name KMS_Key_For_Encryption_On_EBS_Policy \
--policy-document file://csi_kms_iam.json |
Attach the IAM policy to the role using the following command:
| Code Block |
|---|
aws iam attach-role-policy \
--policy-arn arn:aws:iam::111122223333:policy/KMS_Key_For_Encryption_On_EBS_Policy \
--role-name AmazonEKS_EBS_CSI_DriverRole |
