Help improve this page
Want to contribute to this user guide? Scroll to the bottom of this page and select Edit this page on GitHub. Your contributions will help make our user guide better for everyone.
Prepare credentials for hybrid nodes
Amazon EKS Hybrid Nodes use temporary IAM credentials provisioned by AWS SSM hybrid activations or AWS IAM Roles Anywhere to authenticate with the Amazon EKS cluster. You must use either AWS SSM hybrid activations or AWS IAM Roles Anywhere with the Amazon EKS Hybrid Nodes CLI (nodeadm
). You should not use both AWS SSM hybrid activations and AWS IAM Roles Anywhere. It is recommended to use AWS SSM hybrid activations if you do not have existing Public Key Infrastructure (PKI) with a Certificate Authority (CA) and certificates for your on-premises environments. If you do have existing PKI and certificates on-premises, use AWS IAM Roles Anywhere.
Hybrid Nodes IAM Role
Before you can connect hybrid nodes to your Amazon EKS cluster, you must create an IAM role that will be used with AWS SSM hybrid activations or AWS IAM Roles Anywhere for your hybrid nodes credentials. After cluster creation, you will use this role with an Amazon EKS access entry or aws-auth
ConfigMap entry to map the IAM role to Kubernetes Role-Based Access Control (RBAC). For more information on associating the Hybrid Nodes IAM role with Kubernetes RBAC, see Prepare cluster access for hybrid nodes.
The Hybrid Nodes IAM role must have the following permissions.
-
Permissions for
nodeadm
to use theeks:DescribeCluster
action to gather information about the cluster used for connecting hybrid nodes to the cluster. If you do not enable theeks:DescribeCluster
action, then you must pass your Kubernetes API endpoint, cluster CA bundle, and service IPv4 CIDR in the node configuration you pass tonodeadm
when you runnodeadm
init. -
Permissions for the kubelet to use container images from Amazon Elastic Container Registry (Amazon ECR) as defined in the AmazonEC2ContainerRegistryPullOnly policy.
-
If using AWS SSM, permissions for
nodeadm
init to use AWS SSM hybrid activations as defined in the aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html policy. -
If using AWS SSM, permissions to use the
ssm:DeregisterManagedInstance
action andssm:DescribeInstanceInformation
action fornodeadm uninstall
to deregister instances. -
(Optional) Permissions for the Amazon EKS Pod Identity Agent to use the
eks-auth:AssumeRoleForPodIdentity
action to retrieve credentials for pods.
Setup AWS SSM hybrid activations
Before setting up AWS SSM hybrid activations, you must have a Hybrid Nodes IAM role created and configured. For more information, see Create the Hybrid Nodes IAM role. Follow the instructions at Create a hybrid activation to register nodes with Systems Manager in the AWS Systems Manager User Guide to create an AWS SSM hybrid activation for your hybrid nodes. The Activation Code and ID you receive is used with nodeadm
when you register your hosts as hybrid nodes with your Amazon EKS cluster. You can come back to this step at a later point after you have created and prepared your Amazon EKS clusters for hybrid nodes.
Important
Systems Manager immediately returns the Activation Code and ID to the console or the command window, depending on how you created the activation. Copy this information and store it in a safe place. If you navigate away from the console or close the command window, you might lose this information. If you lose it, you must create a new activation.
By default, AWS SSM hybrid activations are active for 24 hours. You can alternatively specify an --expiration-date
when you create your hybrid activation in timestamp format, such as 2024-08-01T00:00:00
. When you use AWS SSM as your credential provider, the node name for your hybrid nodes is not configurable, and is auto-generated by AWS SSM. You can view and manage the AWS SSM Managed Instances in the AWS Systems Manager console under Fleet Manager. You can register up to 1,000 standard hybrid-activated nodes per account per AWS Region at no additional cost. However, registering more than 1,000 hybrid nodes requires that you activate the advanced-instances tier. There is a charge to use the advanced-instances tier that is not included in the Amazon EKS Hybrid Nodes pricing
See the example below for how to create an AWS SSM hybrid activation with your Hybrid Nodes IAM role. When you use AWS SSM hybrid activations for your hybrid nodes credentials, the names of your hybrid nodes will have the format mi-012345678abcdefgh
and the temporary credentials provisioned by AWS SSM are valid for 1 hour. You cannot alter the node name or credential duration when using AWS SSM as your credential provider. The temporary credentials are automatically rotated by AWS SSM and the rotation does not impact the status of your nodes or applications.
It is recommended to use one AWS SSM hybrid activation per EKS cluster to scope the AWS SSM ssm:DeregisterManagedInstance
permission of the Hybrid Nodes IAM role to only be able to deregister instances that are associated with your AWS SSM hybrid activation. In the example on this page, a tag with the EKS cluster ARN is used, which can be used to map your AWS SSM hybrid activation to the EKS cluster. You can alternatively use your preferred tag and method of scoping the AWS SSM permissions based on your permission boundaries and requirements. The REGISTRATION_LIMIT
option in the command below is an integer used to limit the number of machines that can use the AWS SSM hybrid activation (for example 10
)
aws ssm create-activation \ --region AWS_REGION \ --default-instance-name eks-hybrid-nodes \ --description "Activation for EKS hybrid nodes" \ --iam-role AmazonEKSHybridNodesRole \ --tags Key=EKSClusterARN,Value=arn:aws:eks:AWS_REGION:AWS_ACCOUNT_ID:cluster/CLUSTER_NAME \ --registration-limit REGISTRATION_LIMIT
Review the instructions on Create a hybrid activation to register nodes with Systems Manager for more information about the available configuration settings for AWS SSM hybrid activations.
Setup AWS IAM Roles Anywhere
Follow the instructions at Getting started with IAM Roles Anywhere in the IAM Roles Anywhere User Guide to set up the trust anchor and profile you will use for temporary IAM credentials for your Hybrid Nodes IAM role. When you create your profile, you can create it without adding any roles. You can create this profile, return to these steps to create your Hybrid Nodes IAM role, and then add your role to your profile after it is created. You can alternatively use the AWS CloudFormation steps later on this page to complete your IAM Roles Anywhere setup for hybrid nodes.
When you add the Hybrid Nodes IAM role to your profile, select Accept custom role session name in the Custom role session name panel at the bottom of the Edit profile page in the AWS IAM Roles Anywhere console. This corresponds to the acceptRoleSessionName field of the CreateProfile
API. This allows you to supply a custom node name for your hybrid nodes in the configuration you pass to nodeadm
during the bootstrap process. Passing a custom node name during the nodeadm init
process is required. You can update your profile to accept a custom role session name after creating your profile.
You can configure the credential validity duration with AWS IAM Roles Anywhere through the durationSeconds field of your AWS IAM Roles Anywhere profile. The default duration is 1 hour with a maximum of 12 hours. The MaxSessionDuration
setting on your Hybrid Nodes IAM role must be greater than the durationSeconds
setting on your AWS IAM Roles Anywhere profile. For more information on MaxSessionDuration
, see UpdateRole API documentation.
The per-machine certificates and keys you generate from your certificate authority (CA) must be placed in the /etc/iam/pki
directory on each hybrid node with the file names server.pem
for the certificate and server.key
for the key.
Create the Hybrid Nodes IAM role
To run the steps in this section, the IAM principal using the AWS console or AWS CLI must have the following permissions.
-
iam:CreatePolicy
-
iam:CreateRole
-
iam:AttachRolePolicy
-
If using AWS IAM Roles Anywhere
-
rolesanywhere:CreateTrustAnchor
-
rolesanywhere:CreateProfile
-
iam:PassRole
-
AWS CloudFormation
Install and configure the AWS CLI, if you haven’t already. See Installing or updating to the last version of the AWS CLI.
Steps for AWS SSM hybrid activations
The CloudFormation stack creates the Hybrid Nodes IAM Role with the permissions outlined above. The CloudFormation template does not create the AWS SSM hybrid activation.
-
Download the AWS SSM CloudFormation template for hybrid nodes:
curl -OL 'https://raw.githubusercontent.com/aws/eks-hybrid/refs/heads/main/example/hybrid-ssm-cfn.yaml'
-
Create a
cfn-ssm-parameters.json
with the following options:-
Replace
ROLE_NAME
with the name for your Hybrid Nodes IAM role. By default, the CloudFormation template usesAmazonEKSHybridNodesRole
as the name of the role it creates if you do not specify a name. -
Replace
TAG_KEY
with the AWS SSM resource tag key you used when creating your AWS SSM hybrid activation. The combination of the tag key and tag value is used in the condition for thessm:DeregisterManagedInstance
to only allow the Hybrid Nodes IAM role to deregister the AWS SSM managed instances that are associated with your AWS SSM hybrid activation. In the CloudFormation template,TAG_KEY
defaults toEKSClusterARN
. -
Replace
TAG_VALUE
with the AWS SSM resource tag value you used when creating your AWS SSM hybrid activation. The combination of the tag key and tag value is used in the condition for thessm:DeregisterManagedInstance
to only allow the Hybrid Nodes IAM role to deregister the AWS SSM managed instances that are associated with your AWS SSM hybrid activation. If you are using the defaultTAG_KEY
ofEKSClusterARN
, then pass your EKS cluster ARN as theTAG_VALUE
. EKS cluster ARNs have the formatarn:aws:eks:AWS_REGION:AWS_ACCOUNT_ID:cluster/CLUSTER_NAME
.{ "Parameters": { "RoleName": "ROLE_NAME", "SSMDeregisterConditionTagKey": "TAG_KEY", "SSMDeregisterConditionTagValue": "TAG_VALUE" } }
-
-
Deploy the CloudFormation stack. Replace
STACK_NAME
with your name for the CloudFormation stack.aws cloudformation deploy \ --stack-name STACK_NAME \ --template-file hybrid-ssm-cfn.yaml \ --parameter-overrides file://cfn-ssm-parameters.json \ --capabilities CAPABILITY_NAMED_IAM
Steps for AWS IAM Roles Anywhere
The CloudFormation stack creates the AWS IAM Roles Anywhere trust anchor with the certificate authority (CA) you configure, creates the AWS IAM Roles Anywhere profile, and creates the Hybrid Nodes IAM role with the permissions outlined previously.
-
To set up a certificate authority (CA)
-
To use an AWS Private CA resource, open the AWS Private Certificate Authority console
. Follow the instructions in the AWS Private CA User Guide. -
To use an external CA, follow the instructions provided by the CA. You provide the certificate body in a later step.
-
Certificates issued from public CAs cannot be used as trust anchors.
-
-
Download the AWS IAM Roles Anywhere CloudFormation template for hybrid nodes
curl -OL 'https://raw.githubusercontent.com/aws/eks-hybrid/refs/heads/main/example/hybrid-ira-cfn.yaml'
-
Create a
cfn-iamra-parameters.json
with the following options:-
Replace
ROLE_NAME
with the name for your Hybrid Nodes IAM role. By default, the CloudFormation template usesAmazonEKSHybridNodesRole
as the name of the role it creates if you do not specify a name. -
Replace
CERT_ATTRIBUTE
with the per-machine certificate attribute that uniquely identifies your host. The certificate attribute you use must match the nodeName you use for thenodeadm
configuration when you connect hybrid nodes to your cluster. For more information, see the Hybrid nodes nodeadm reference. By default, the CloudFormation template uses${aws:PrincipalTag/x509Subject/CN}
as theCERT_ATTRIBUTE
, which corresponds to the CN field of your per-machine certificates. You can alternatively pass$(aws:PrincipalTag/x509SAN/Name/CN}
as yourCERT_ATTRIBUTE
. -
Replace
CA_CERT_BODY
with the certificate body of your CA without line breaks. TheCA_CERT_BODY
must be in Privacy Enhanced Mail (PEM) format. If you have a CA certificate in PEM format, remove the line breaks and BEGIN CERTIFICATE and END CERTIFICATE lines before placing the CA certificate body in yourcfn-iamra-parameters.json
file.{ "Parameters": { "RoleName": "ROLE_NAME", "CertAttributeTrustPolicy": "CERT_ATTRIBUTE", "CABundleCert": "CA_CERT_BODY" } }
-
-
Deploy the CloudFormation template. Replace
STACK_NAME
with your name for the CloudFormation stack.aws cloudformation deploy \ --stack-name STACK_NAME \ --template-file hybrid-ira-cfn.yaml \ --parameter-overrides file://cfn-iamra-parameters.json --capabilities CAPABILITY_NAMED_IAM
AWS CLI
Install and configure the AWS CLI, if you haven’t already. See Installing or updating to the last version of the AWS CLI.
Create EKS Describe Cluster Policy
-
Create a file named
eks-describe-cluster-policy.json
with the following contents:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "eks:DescribeCluster" ], "Resource": "*" } ] }
-
Create the policy with the following command:
aws iam create-policy \ --policy-name EKSDescribeClusterPolicy \ --policy-document file://eks-describe-cluster-policy.json
Steps for AWS SSM hybrid activations
-
Create a file named
eks-hybrid-ssm-policy.json
with the following contents. The policy grants permission for two actionsssm:DescribeInstanceInformation
andssm:DeregisterManagedInstance
. The policy restricts thessm:DeregisterManagedInstance
permission to AWS SSM managed instances associated with your AWS SSM hybrid activation based on the resource tag you specify in your trust policy.-
Replace
AWS_REGION
with the AWS Region for your AWS SSM hybrid activation. -
Replace
AWS_ACCOUNT_ID
with your AWS account ID. -
Replace
TAG_KEY
with the AWS SSM resource tag key you used when creating your AWS SSM hybrid activation. The combination of the tag key and tag value is used in the condition for thessm:DeregisterManagedInstance
to only allow the Hybrid Nodes IAM role to deregister the AWS SSM managed instances that are associated with your AWS SSM hybrid activation. In the CloudFormation template,TAG_KEY
defaults toEKSClusterARN
. -
Replace
TAG_VALUE
with the AWS SSM resource tag value you used when creating your AWS SSM hybrid activation. The combination of the tag key and tag value is used in the condition for thessm:DeregisterManagedInstance
to only allow the Hybrid Nodes IAM role to deregister the AWS SSM managed instances that are associated with your AWS SSM hybrid activation. If you are using the defaultTAG_KEY
ofEKSClusterARN
, then pass your EKS cluster ARN as theTAG_VALUE
. EKS cluster ARNs have the formatarn:aws:eks:AWS_REGION:AWS_ACCOUNT_ID:cluster/CLUSTER_NAME
.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ssm:DescribeInstanceInformation", "Resource": "" }, { "Effect": "Allow", "Action": "ssm:DeregisterManagedInstance", "Resource": "arn:aws:ssm:AWS_REGION:AWS_ACCOUNT_ID:managed-instance/", "Condition": { "StringEquals": { "ssm:resourceTag/TAG_KEY": "TAG_VALUE" } } } ] }
-
-
Create the policy with the following command
aws iam create-policy \ --policy-name EKSHybridSSMPolicy \ --policy-document file://eks-hybrid-ssm-policy.json
-
Create a file named
eks-hybrid-ssm-trust.json
. ReplaceAWS_REGION
with the AWS Region of your AWS SSM hybrid activation andAWS_ACCOUNT_ID
with your AWS account ID.{ "Version":"2012-10-17", "Statement":[ { "Sid":"", "Effect":"Allow", "Principal":{ "Service":"ssm.amazonaws.com" }, "Action":"sts:AssumeRole", "Condition":{ "StringEquals":{ "aws:SourceAccount":"AWS_ACCOUNT_ID" }, "ArnEquals":{ "aws:SourceArn":"arn:aws:ssm:AWS_REGION:AWS_ACCOUNT_ID:*" } } } ] }
-
Create the role with the following command.
aws iam create-role \ --role-name AmazonEKSHybridNodesRole \ --assume-role-policy-document file://eks-hybrid-ssm-trust.json
-
Attach the
EKSDescribeClusterPolicy
and theEKSHybridSSMPolicy
you created in the previous steps. ReplaceAWS_ACCOUNT_ID
with your AWS account ID.aws iam attach-role-policy \ --role-name AmazonEKSHybridNodesRole \ --policy-arn arn:aws:iam::AWS_ACCOUNT_ID:policy/EKSDescribeClusterPolicy
aws iam attach-role-policy \ --role-name AmazonEKSHybridNodesRole \ --policy-arn arn:aws:iam::AWS_ACCOUNT_ID:policy/EKSHybridSSMPolicy
-
Attach the
AmazonEC2ContainerRegistryPullOnly
andAmazonSSMManagedInstanceCore
AWS managed policies.aws iam attach-role-policy \ --role-name AmazonEKSHybridNodesRole \ --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly
aws iam attach-role-policy \ --role-name AmazonEKSHybridNodesRole \ --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
Steps for AWS IAM Roles Anywhere
To use AWS IAM Roles Anywhere, you must set up your AWS IAM Roles Anywhere trust anchor before creating the Hybrid Nodes IAM Role. See Setup AWS IAM Roles Anywhere for instructions.
-
Create a file named
eks-hybrid-iamra-trust.json
. ReplaceTRUST_ANCHOR ARN
with the ARN of the trust anchor you created in the Setup AWS IAM Roles Anywhere steps. The condition in this trust policy restricts the ability of AWS IAM Roles Anywhere to assume the Hybrid Nodes IAM role to exchange temporary IAM credentials only when the role session name matches the CN in the x509 certificate installed on your hybrid nodes. You can alternatively use other certificate attributes to uniquely identify your node. The certificate attribute that you use in the trust policy must correspond to thenodeName
you set in yournodeadm
configuration. For more information, see the Hybrid nodes nodeadm reference.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "rolesanywhere.amazonaws.com" }, "Action": [ "sts:TagSession", "sts:SetSourceIdentity" ], "Condition": { "ArnEquals": { "aws:SourceArn": "TRUST_ANCHOR_ARN" } } }, { "Effect": "Allow", "Principal": { "Service": "rolesanywhere.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:RoleSessionName": "${aws:PrincipalTag/x509Subject/CN}" }, "ArnEquals": { "aws:SourceArn": "TRUST_ANCHOR_ARN" } } } ] }
-
Create the role with the following command.
aws iam create-role \ --role-name AmazonEKSHybridNodesRole \ --assume-role-policy-document file://eks-hybrid-iamra-trust.json
-
Attach the
EKSDescribeClusterPolicy
you created in the previous steps. ReplaceAWS_ACCOUNT_ID
with your AWS account ID.aws iam attach-role-policy \ --role-name AmazonEKSHybridNodesRole \ --policy-arn arn:aws:iam::AWS_ACCOUNT_ID:policy/EKSDescribeClusterPolicy
-
Attach the
AmazonEC2ContainerRegistryPullOnly
AWS managed policyaws iam attach-role-policy \ --role-name AmazonEKSHybridNodesRole \ --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly
AWS Management Console
Create EKS Describe Cluster Policy
-
Open the Amazon IAM console
-
In the left navigation pane, choose Policies.
-
On the Policies page, choose Create policy.
-
On the Specify permissions page, in the Select a service panel, choose EKS.
-
Filter actions for DescribeCluster and select the DescribeCluster Read action.
-
Choose Next.
-
-
On the Review and create page
-
Enter a Policy name for your policy such as
EKSDescribeClusterPolicy
. -
Choose Create policy.
-
Steps for AWS SSM hybrid activations
-
Open the Amazon IAM console
-
In the left navigation pane, choose Policies.
-
On the Policies page, choose Create policy.
-
On the Specify permissions page, in the Policy editor top right navigation, choose JSON. Paste the following snippet. Replace
AWS_REGION
with the AWS Region of your AWS SSM hybrid activation and replaceAWS_ACCOUNT_ID
with your AWS account ID. ReplaceTAG_KEY
andTAG_VALUE
with the AWS SSM resource tag key you used when creating your AWS SSM hybrid activation.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ssm:DescribeInstanceInformation", "Resource": "" }, { "Effect": "Allow", "Action": "ssm:DeregisterManagedInstance", "Resource": "arn:aws:ssm:AWS_REGION:AWS_ACCOUNT_ID:managed-instance/", "Condition": { "StringEquals": { "ssm:resourceTag/TAG_KEY": "TAG_VALUE" } } } ] }
-
Choose Next.
-
-
On the Review and Create page.
-
Enter a Policy name for your policy such as
EKSHybridSSMPolicy
-
Choose Create Policy.
-
-
In the left navigation pane, choose Roles.
-
On the Roles page, choose Create role.
-
On the Select trusted entity page, do the following:
-
In the Trusted entity type section, choose Custom trust policy. Paste the following into the Custom trust policy editor. Replace
AWS_REGION
with the AWS Region of your AWS SSM hybrid activation andAWS_ACCOUNT_ID
with your AWS account ID.{ "Version":"2012-10-17", "Statement":[ { "Sid":"", "Effect":"Allow", "Principal":{ "Service":"ssm.amazonaws.com" }, "Action":"sts:AssumeRole", "Condition":{ "StringEquals":{ "aws:SourceAccount":"AWS_ACCOUNT_ID" }, "ArnEquals":{ "aws:SourceArn":"arn:aws:ssm:AWS_REGION:AWS_ACCOUNT_ID:*" } } } ] }
-
Choose Next.
-
-
On the Add permissions page, attach a custom policy or do the following:
-
In the Filter policies box, enter
EKSDescribeClusterPolicy
, or the name of the policy you created above. Select the check box to the left of your policy name in the search results. -
In the Filter policies box, enter
EKSHybridSSMPolicy
, or the name of the policy you created above. Select the check box to the left of your policy name in the search results. -
In the Filter policies box, enter
AmazonEC2ContainerRegistryPullOnly
. Select the check box to the left ofAmazonEC2ContainerRegistryPullOnly
in the search results. -
In the Filter policies box, enter
AmazonSSMManagedInstanceCore
. Select the check box to the left ofAmazonSSMManagedInstanceCore
in the search results. -
Choose Next.
-
-
On the Name, review, and create page, do the following:
-
For Role name, enter a unique name for your role, such as
AmazonEKSHybridNodesRole
. -
For Description, replace the current text with descriptive text such as
Amazon EKS - Hybrid Nodes role
. -
Choose Create role.
-
Steps for AWS IAM Roles Anywhere
To use AWS IAM Roles Anywhere, you must set up your AWS IAM Roles Anywhere trust anchor before creating the Hybrid Nodes IAM Role. See Setup AWS IAM Roles Anywhere for instructions.
-
Open the Amazon IAM console
-
In the left navigation pane, choose Roles.
-
On the Roles page, choose Create role.
-
On the Select trusted entity page, do the following:
-
In the Trusted entity type section, choose Custom trust policy. Paste the following into the Custom trust policy editor. Replace
TRUST_ANCHOR ARN
with the ARN of the trust anchor you created in the Setup AWS IAM Roles Anywhere steps. The condition in this trust policy restricts the ability of AWS IAM Roles Anywhere to assume the Hybrid Nodes IAM role to exchange temporary IAM credentials only when the role session name matches the CN in the x509 certificate installed on your hybrid nodes. You can alternatively use other certificate attributes to uniquely identify your node. The certificate attribute that you use in the trust policy must correspond to the nodeName you set in your nodeadm configuration. For more information, see the Hybrid nodes nodeadm reference.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "rolesanywhere.amazonaws.com" }, "Action": [ "sts:TagSession", "sts:SetSourceIdentity" ], "Condition": { "ArnEquals": { "aws:SourceArn": "TRUST_ANCHOR_ARN" } } }, { "Effect": "Allow", "Principal": { "Service": "rolesanywhere.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:RoleSessionName": "${aws:PrincipalTag/x509Subject/CN}" }, "ArnEquals": { "aws:SourceArn": "TRUST_ANCHOR_ARN" } } } ] }
-
Choose Next.
-
-
On the Add permissions page, attach a custom policy or do the following:
-
In the Filter policies box, enter
EKSDescribeClusterPolicy
, or the name of the policy you created above. Select the check box to the left of your policy name in the search results. -
In the Filter policies box, enter
AmazonEC2ContainerRegistryPullOnly
. Select the check box to the left ofAmazonEC2ContainerRegistryPullOnly
in the search results. -
Choose Next.
-
-
On the Name, review, and create page, do the following:
-
For Role name, enter a unique name for your role, such as
AmazonEKSHybridNodesRole
. -
For Description, replace the current text with descriptive text such as
Amazon EKS - Hybrid Nodes role
. -
Choose Create role.
-