StackState/Agent IAM role: EKS
StackState Self-hosted v5.0.x
Last updated
StackState Self-hosted v5.0.x
Last updated
This page describes StackState version 5.0.
If StackState or the StackState Agent are running within an AWS environment in an EKS cluster instance, an IAM role can be attached to the node-group where the pods stackstate-api, stackstate-server and/or stackstate-cluster-agent are running.
stackstate-api and stackstate-server pods - the attached role can be used for authentication by StackState running in these pods.
stackstate-cluster-agent pod - the attached role can be used for authentication by StackState Cluster Agent running in this pod.
Note: If the AWS Data Collection Account and the Monitor Account are not a part of the same AWS organization, it is not possible to authenticate using the attached IAM role in this way. For details see the AWS documentation on AWS organizations (docs.aws.amazon.com).
To set up an IAM role for StackState or StackState Agent to use, follow the instructions below.
If you did not do so already, create a policy that allows the AssumeRole action for the resource arn:aws:iam::*:role/StackStateAwsIntegrationRole. Take note of the policy name.
Find the node-group that contains nodes running the relevant pod or pods and create a node group role:
StackState on EKS: stackstate-api and stackstate-server.
StackState Agent on EKS: stackstate-cluster-agent.
Attach the policy from the first step to the node-group role from the previous step.
Configure the StackPack instance or Agent AWS check to authenticate using the attached IAM role.
