Prepare credentials for hybrid nodes - Amazon EKS
Hybrid Nodes IAM RoleSetup AWS SSM hybrid activationsSetup AWS IAM Roles AnywhereCreate the Hybrid Nodes IAM role

Prepare credentials for hybrid nodes

Amazon EKS Hybrid Nodes use temporary IAM credentials provisioned by AWS SSM hybrid activations or AWS IAM Roles Anywhere to authenticate with the Amazon EKS cluster. You must use either AWS SSM hybrid activations or AWS IAM Roles Anywhere with the Amazon EKS Hybrid Nodes CLI (nodeadm). You should not use both AWS SSM hybrid activations and AWS IAM Roles Anywhere. It is recommended to use AWS SSM hybrid activations if you do not have existing Public Key Infrastructure (PKI) with a Certificate Authority (CA) and certificates for your on-premises environments. If you do have existing PKI and certificates on-premises, use AWS IAM Roles Anywhere.

Hybrid Nodes IAM Role

Before you can connect hybrid nodes to your Amazon EKS cluster, you must create an IAM role that will be used with AWS SSM hybrid activations or AWS IAM Roles Anywhere for your hybrid nodes credentials. After cluster creation, you will use this role with an Amazon EKS access entry or aws-auth ConfigMap entry to map the IAM role to Kubernetes Role-Based Access Control (RBAC). For more information on associating the Hybrid Nodes IAM role with Kubernetes RBAC, see Prepare cluster access for hybrid nodes.

The Hybrid Nodes IAM role must have the following permissions.

  • Permissions for nodeadm to use the eks:DescribeCluster action to gather information about the cluster used for connecting hybrid nodes to the cluster. If you do not enable the eks:DescribeCluster action, then you must pass your Kubernetes API endpoint, cluster CA bundle, and service IPv4 CIDR in the node configuration you pass to nodeadm when you run nodeadm init.

  • Permissions for the kubelet to use container images from Amazon Elastic Container Registry (Amazon ECR) as defined in the AmazonEC2ContainerRegistryPullOnly policy.

  • If using AWS SSM, permissions for nodeadm init to use AWS SSM hybrid activations as defined in the aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html policy.

  • If using AWS SSM, permissions to use the ssm:DeregisterManagedInstance action and ssm:DescribeInstanceInformation action for nodeadm uninstall to deregister instances.

  • (Optional) Permissions for the Amazon EKS Pod Identity Agent to use the eks-auth:AssumeRoleForPodIdentity action to retrieve credentials for pods.

Setup AWS SSM hybrid activations

Before setting up AWS SSM hybrid activations, you must have a Hybrid Nodes IAM role created and configured. For more information, see Create the Hybrid Nodes IAM role. Follow the instructions at Create a hybrid activation to register nodes with Systems Manager in the AWS Systems Manager User Guide to create an AWS SSM hybrid activation for your hybrid nodes. The Activation Code and ID you receive is used with nodeadm when you register your hosts as hybrid nodes with your Amazon EKS cluster. You can come back to this step at a later point after you have created and prepared your Amazon EKS clusters for hybrid nodes.

Important

Systems Manager immediately returns the Activation Code and ID to the console or the command window, depending on how you created the activation. Copy this information and store it in a safe place. If you navigate away from the console or close the command window, you might lose this information. If you lose it, you must create a new activation.

By default, AWS SSM hybrid activations are active for 24 hours. You can alternatively specify an --expiration-date when you create your hybrid activation in timestamp format, such as 2024-08-01T00:00:00. When you use AWS SSM as your credential provider, the node name for your hybrid nodes is not configurable, and is auto-generated by AWS SSM. You can view and manage the AWS SSM Managed Instances in the AWS Systems Manager console under Fleet Manager. You can register up to 1,000 standard hybrid-activated nodes per account per AWS Region at no additional cost. However, registering more than 1,000 hybrid nodes requires that you activate the advanced-instances tier. There is a charge to use the advanced-instances tier that is not included in the Amazon EKS Hybrid Nodes pricing. For more information, see AWS Systems Manager Pricing.

See the example below for how to create an AWS SSM hybrid activation with your Hybrid Nodes IAM role. When you use AWS SSM hybrid activations for your hybrid nodes credentials, the names of your hybrid nodes will have the format mi-012345678abcdefgh and the temporary credentials provisioned by AWS SSM are valid for 1 hour. You cannot alter the node name or credential duration when using AWS SSM as your credential provider. The temporary credentials are automatically rotated by AWS SSM and the rotation does not impact the status of your nodes or applications.

It is recommended to use one AWS SSM hybrid activation per EKS cluster to scope the AWS SSM ssm:DeregisterManagedInstance permission of the Hybrid Nodes IAM role to only be able to deregister instances that are associated with your AWS SSM hybrid activation. In the example on this page, a tag with the EKS cluster ARN is used, which can be used to map your AWS SSM hybrid activation to the EKS cluster. You can alternatively use your preferred tag and method of scoping the AWS SSM permissions based on your permission boundaries and requirements. The REGISTRATION_LIMIT option in the command below is an integer used to limit the number of machines that can use the AWS SSM hybrid activation (for example 10)

aws ssm create-activation \
     --region AWS_REGION \
     --default-instance-name eks-hybrid-nodes \
     --description "Activation for EKS hybrid nodes" \
     --iam-role AmazonEKSHybridNodesRole \
     --tags Key=EKSClusterARN,Value=arn:aws:eks:AWS_REGION:AWS_ACCOUNT_ID:cluster/CLUSTER_NAME \
     --registration-limit REGISTRATION_LIMIT

Review the instructions on Create a hybrid activation to register nodes with Systems Manager for more information about the available configuration settings for AWS SSM hybrid activations.

Setup AWS IAM Roles Anywhere

Follow the instructions at Getting started with IAM Roles Anywhere in the IAM Roles Anywhere User Guide to set up the trust anchor and profile you will use for temporary IAM credentials for your Hybrid Nodes IAM role. When you create your profile, you can create it without adding any roles. You can create this profile, return to these steps to create your Hybrid Nodes IAM role, and then add your role to your profile after it is created. You can alternatively use the AWS CloudFormation steps later on this page to complete your IAM Roles Anywhere setup for hybrid nodes.

When you add the Hybrid Nodes IAM role to your profile, select Accept custom role session name in the Custom role session name panel at the bottom of the Edit profile page in the AWS IAM Roles Anywhere console. This corresponds to the acceptRoleSessionName field of the CreateProfile API. This allows you to supply a custom node name for your hybrid nodes in the configuration you pass to nodeadm during the bootstrap process. Passing a custom node name during the nodeadm init process is required. You can update your profile to accept a custom role session name after creating your profile.

You can configure the credential validity duration with AWS IAM Roles Anywhere through the durationSeconds field of your AWS IAM Roles Anywhere profile. The default duration is 1 hour with a maximum of 12 hours. The MaxSessionDuration setting on your Hybrid Nodes IAM role must be greater than the durationSeconds setting on your AWS IAM Roles Anywhere profile. For more information on MaxSessionDuration, see UpdateRole API documentation.

The per-machine certificates and keys you generate from your certificate authority (CA) must be placed in the /etc/iam/pki directory on each hybrid node with the file names server.pem for the certificate and server.key for the key.

Create the Hybrid Nodes IAM role

To run the steps in this section, the IAM principal using the AWS console or AWS CLI must have the following permissions.

  • iam:CreatePolicy

  • iam:CreateRole

  • iam:AttachRolePolicy

  • If using AWS IAM Roles Anywhere

    • rolesanywhere:CreateTrustAnchor

    • rolesanywhere:CreateProfile

    • iam:PassRole

AWS CloudFormation

Install and configure the AWS CLI, if you haven’t already. See Installing or updating to the last version of the AWS CLI.

Steps for AWS SSM hybrid activations

The CloudFormation stack creates the Hybrid Nodes IAM Role with the permissions outlined above. The CloudFormation template does not create the AWS SSM hybrid activation.

  1. Download the AWS SSM CloudFormation template for hybrid nodes:

    curl -OL 'https://raw.githubusercontent.com/aws/eks-hybrid/refs/heads/main/example/hybrid-ssm-cfn.yaml'

  2. Create a cfn-ssm-parameters.json with the following options:

    1. Replace ROLE_NAME with the name for your Hybrid Nodes IAM role. By default, the CloudFormation template uses AmazonEKSHybridNodesRole as the name of the role it creates if you do not specify a name.

    2. Replace TAG_KEY with the AWS SSM resource tag key you used when creating your AWS SSM hybrid activation. The combination of the tag key and tag value is used in the condition for the ssm:DeregisterManagedInstance to only allow the Hybrid Nodes IAM role to deregister the AWS SSM managed instances that are associated with your AWS SSM hybrid activation. In the CloudFormation template, TAG_KEY defaults to EKSClusterARN.

    3. Replace TAG_VALUE with the AWS SSM resource tag value you used when creating your AWS SSM hybrid activation. The combination of the tag key and tag value is used in the condition for the ssm:DeregisterManagedInstance to only allow the Hybrid Nodes IAM role to deregister the AWS SSM managed instances that are associated with your AWS SSM hybrid activation. If you are using the default TAG_KEY of EKSClusterARN, then pass your EKS cluster ARN as the TAG_VALUE. EKS cluster ARNs have the format arn:aws:eks:AWS_REGION:AWS_ACCOUNT_ID:cluster/CLUSTER_NAME.

      {
  "Parameters": {
    "RoleName": "ROLE_NAME",
    "SSMDeregisterConditionTagKey": "TAG_KEY",
    "SSMDeregisterConditionTagValue": "TAG_VALUE"
  }
}

  3. Deploy the CloudFormation stack. Replace STACK_NAME with your name for the CloudFormation stack.

    aws cloudformation deploy \
    --stack-name STACK_NAME \
    --template-file hybrid-ssm-cfn.yaml \
    --parameter-overrides file://cfn-ssm-parameters.json \
    --capabilities CAPABILITY_NAMED_IAM

Steps for AWS IAM Roles Anywhere

The CloudFormation stack creates the AWS IAM Roles Anywhere trust anchor with the certificate authority (CA) you configure, creates the AWS IAM Roles Anywhere profile, and creates the Hybrid Nodes IAM role with the permissions outlined previously.

  1. To set up a certificate authority (CA)

    1. To use an AWS Private CA resource, open the AWS Private Certificate Authority console. Follow the instructions in the AWS Private CA User Guide.

    2. To use an external CA, follow the instructions provided by the CA. You provide the certificate body in a later step.

    3. Certificates issued from public CAs cannot be used as trust anchors.

  2. Download the AWS IAM Roles Anywhere CloudFormation template for hybrid nodes

    curl -OL 'https://raw.githubusercontent.com/aws/eks-hybrid/refs/heads/main/example/hybrid-ira-cfn.yaml'

  3. Create a cfn-iamra-parameters.json with the following options:

    1. Replace ROLE_NAME with the name for your Hybrid Nodes IAM role. By default, the CloudFormation template uses AmazonEKSHybridNodesRole as the name of the role it creates if you do not specify a name.

    2. Replace CERT_ATTRIBUTE with the per-machine certificate attribute that uniquely identifies your host. The certificate attribute you use must match the nodeName you use for the nodeadm configuration when you connect hybrid nodes to your cluster. For more information, see the Hybrid nodes nodeadm reference. By default, the CloudFormation template uses ${aws:PrincipalTag/x509Subject/CN} as the CERT_ATTRIBUTE, which corresponds to the CN field of your per-machine certificates. You can alternatively pass $(aws:PrincipalTag/x509SAN/Name/CN} as your CERT_ATTRIBUTE.

    3. Replace CA_CERT_BODY with the certificate body of your CA without line breaks. The CA_CERT_BODY must be in Privacy Enhanced Mail (PEM) format. If you have a CA certificate in PEM format, remove the line breaks and BEGIN CERTIFICATE and END CERTIFICATE lines before placing the CA certificate body in your cfn-iamra-parameters.json file.

      {
  "Parameters": {
    "RoleName": "ROLE_NAME",
    "CertAttributeTrustPolicy": "CERT_ATTRIBUTE",
    "CABundleCert": "CA_CERT_BODY"
  }
}

  4. Deploy the CloudFormation template. Replace STACK_NAME with your name for the CloudFormation stack.

    aws cloudformation deploy \
    --stack-name STACK_NAME \
    --template-file hybrid-ira-cfn.yaml \
    --parameter-overrides file://cfn-iamra-parameters.json
    --capabilities CAPABILITY_NAMED_IAM

AWS CLI

Install and configure the AWS CLI, if you haven’t already. See Installing or updating to the last version of the AWS CLI.

Create EKS Describe Cluster Policy

  1. Create a file named eks-describe-cluster-policy.json with the following contents:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eks:DescribeCluster"
            ],
            "Resource": "*"
        }
    ]
}

  2. Create the policy with the following command:

    aws iam create-policy \
    --policy-name EKSDescribeClusterPolicy \
    --policy-document file://eks-describe-cluster-policy.json

Steps for AWS SSM hybrid activations

  1. Create a file named eks-hybrid-ssm-policy.json with the following contents. The policy grants permission for two actions ssm:DescribeInstanceInformation and ssm:DeregisterManagedInstance. The policy restricts the ssm:DeregisterManagedInstance permission to AWS SSM managed instances associated with your AWS SSM hybrid activation based on the resource tag you specify in your trust policy.

    1. Replace AWS_REGION with the AWS Region for your AWS SSM hybrid activation.

    2. Replace AWS_ACCOUNT_ID with your AWS account ID.

    3. Replace TAG_KEY with the AWS SSM resource tag key you used when creating your AWS SSM hybrid activation. The combination of the tag key and tag value is used in the condition for the ssm:DeregisterManagedInstance to only allow the Hybrid Nodes IAM role to deregister the AWS SSM managed instances that are associated with your AWS SSM hybrid activation. In the CloudFormation template, TAG_KEY defaults to EKSClusterARN.

    4. Replace TAG_VALUE with the AWS SSM resource tag value you used when creating your AWS SSM hybrid activation. The combination of the tag key and tag value is used in the condition for the ssm:DeregisterManagedInstance to only allow the Hybrid Nodes IAM role to deregister the AWS SSM managed instances that are associated with your AWS SSM hybrid activation. If you are using the default TAG_KEY of EKSClusterARN, then pass your EKS cluster ARN as the TAG_VALUE. EKS cluster ARNs have the format arn:aws:eks:AWS_REGION:AWS_ACCOUNT_ID:cluster/CLUSTER_NAME.

      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ssm:DescribeInstanceInformation",
            "Resource": ""
        },
        {
            "Effect": "Allow",
            "Action": "ssm:DeregisterManagedInstance",
            "Resource": "arn:aws:ssm:AWS_REGION:AWS_ACCOUNT_ID:managed-instance/",
            "Condition": {
                "StringEquals": {
                    "ssm:resourceTag/TAG_KEY": "TAG_VALUE"
                }
            }
        }
    ]
}

  2. Create the policy with the following command

    aws iam create-policy \
    --policy-name EKSHybridSSMPolicy \
    --policy-document file://eks-hybrid-ssm-policy.json

  3. Create a file named eks-hybrid-ssm-trust.json. Replace AWS_REGION with the AWS Region of your AWS SSM hybrid activation and AWS_ACCOUNT_ID with your AWS account ID.

    {
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"",
         "Effect":"Allow",
         "Principal":{
            "Service":"ssm.amazonaws.com"
         },
         "Action":"sts:AssumeRole",
         "Condition":{
            "StringEquals":{
               "aws:SourceAccount":"AWS_ACCOUNT_ID"
            },
            "ArnEquals":{
               "aws:SourceArn":"arn:aws:ssm:AWS_REGION:AWS_ACCOUNT_ID:*"
            }
         }
      }
   ]
}

  4. Create the role with the following command.

    aws iam create-role \
    --role-name AmazonEKSHybridNodesRole \
    --assume-role-policy-document file://eks-hybrid-ssm-trust.json

  5. Attach the EKSDescribeClusterPolicy and the EKSHybridSSMPolicy you created in the previous steps. Replace AWS_ACCOUNT_ID with your AWS account ID.

    aws iam attach-role-policy \
    --role-name AmazonEKSHybridNodesRole \
    --policy-arn arn:aws:iam::AWS_ACCOUNT_ID:policy/EKSDescribeClusterPolicy
    aws iam attach-role-policy \
    --role-name AmazonEKSHybridNodesRole \
    --policy-arn arn:aws:iam::AWS_ACCOUNT_ID:policy/EKSHybridSSMPolicy

  6. Attach the AmazonEC2ContainerRegistryPullOnly and AmazonSSMManagedInstanceCore AWS managed policies.

    aws iam attach-role-policy \
    --role-name AmazonEKSHybridNodesRole \
    --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly
    aws iam attach-role-policy \
    --role-name AmazonEKSHybridNodesRole \
    --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore

Steps for AWS IAM Roles Anywhere

To use AWS IAM Roles Anywhere, you must set up your AWS IAM Roles Anywhere trust anchor before creating the Hybrid Nodes IAM Role. See Setup AWS IAM Roles Anywhere for instructions.

  1. Create a file named eks-hybrid-iamra-trust.json. Replace TRUST_ANCHOR ARN with the ARN of the trust anchor you created in the Setup AWS IAM Roles Anywhere steps. The condition in this trust policy restricts the ability of AWS IAM Roles Anywhere to assume the Hybrid Nodes IAM role to exchange temporary IAM credentials only when the role session name matches the CN in the x509 certificate installed on your hybrid nodes. You can alternatively use other certificate attributes to uniquely identify your node. The certificate attribute that you use in the trust policy must correspond to the nodeName you set in your nodeadm configuration. For more information, see the Hybrid nodes nodeadm reference.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "rolesanywhere.amazonaws.com"
            },
            "Action": [
                "sts:TagSession",
                "sts:SetSourceIdentity"
            ],
            "Condition": {
                "ArnEquals": {
                    "aws:SourceArn": "TRUST_ANCHOR_ARN"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "rolesanywhere.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:RoleSessionName": "${aws:PrincipalTag/x509Subject/CN}"
                },
                "ArnEquals": {
                    "aws:SourceArn": "TRUST_ANCHOR_ARN"
                }
            }
        }
    ]
}

  2. Create the role with the following command.

    aws iam create-role \
    --role-name AmazonEKSHybridNodesRole \
    --assume-role-policy-document file://eks-hybrid-iamra-trust.json

  3. Attach the EKSDescribeClusterPolicy you created in the previous steps. Replace AWS_ACCOUNT_ID with your AWS account ID.

    aws iam attach-role-policy \
    --role-name AmazonEKSHybridNodesRole \
    --policy-arn arn:aws:iam::AWS_ACCOUNT_ID:policy/EKSDescribeClusterPolicy

  4. Attach the AmazonEC2ContainerRegistryPullOnly AWS managed policy

    aws iam attach-role-policy \
    --role-name AmazonEKSHybridNodesRole \
    --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly

AWS Management Console

Create EKS Describe Cluster Policy

  1. Open the Amazon IAM console

  2. In the left navigation pane, choose Policies.

  3. On the Policies page, choose Create policy.

  4. On the Specify permissions page, in the Select a service panel, choose EKS.

    1. Filter actions for DescribeCluster and select the DescribeCluster Read action.

    2. Choose Next.

  5. On the Review and create page

    1. Enter a Policy name for your policy such as EKSDescribeClusterPolicy.

    2. Choose Create policy.

Steps for AWS SSM hybrid activations

  1. Open the Amazon IAM console

  2. In the left navigation pane, choose Policies.

  3. On the Policies page, choose Create policy.

  4. On the Specify permissions page, in the Policy editor top right navigation, choose JSON. Paste the following snippet. Replace AWS_REGION with the AWS Region of your AWS SSM hybrid activation and replace AWS_ACCOUNT_ID with your AWS account ID. Replace TAG_KEY and TAG_VALUE with the AWS SSM resource tag key you used when creating your AWS SSM hybrid activation.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ssm:DescribeInstanceInformation",
            "Resource": ""
        },
        {
            "Effect": "Allow",
            "Action": "ssm:DeregisterManagedInstance",
            "Resource": "arn:aws:ssm:AWS_REGION:AWS_ACCOUNT_ID:managed-instance/",
            "Condition": {
                "StringEquals": {
                    "ssm:resourceTag/TAG_KEY": "TAG_VALUE"
                }
            }
        }
    ]
}

    1. Choose Next.

  5. On the Review and Create page.

    1. Enter a Policy name for your policy such as EKSHybridSSMPolicy

    2. Choose Create Policy.

  6. In the left navigation pane, choose Roles.

  7. On the Roles page, choose Create role.

  8. On the Select trusted entity page, do the following:

    1. In the Trusted entity type section, choose Custom trust policy. Paste the following into the Custom trust policy editor. Replace AWS_REGION with the AWS Region of your AWS SSM hybrid activation and AWS_ACCOUNT_ID with your AWS account ID.

      {
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"",
         "Effect":"Allow",
         "Principal":{
            "Service":"ssm.amazonaws.com"
         },
         "Action":"sts:AssumeRole",
         "Condition":{
            "StringEquals":{
               "aws:SourceAccount":"AWS_ACCOUNT_ID"
            },
            "ArnEquals":{
               "aws:SourceArn":"arn:aws:ssm:AWS_REGION:AWS_ACCOUNT_ID:*"
            }
         }
      }
   ]
}

    2. Choose Next.

  9. On the Add permissions page, attach a custom policy or do the following:

    1. In the Filter policies box, enter EKSDescribeClusterPolicy, or the name of the policy you created above. Select the check box to the left of your policy name in the search results.

    2. In the Filter policies box, enter EKSHybridSSMPolicy, or the name of the policy you created above. Select the check box to the left of your policy name in the search results.

    3. In the Filter policies box, enter AmazonEC2ContainerRegistryPullOnly. Select the check box to the left of AmazonEC2ContainerRegistryPullOnly in the search results.

    4. In the Filter policies box, enter AmazonSSMManagedInstanceCore. Select the check box to the left of AmazonSSMManagedInstanceCore in the search results.

    5. Choose Next.

  10. On the Name, review, and create page, do the following:

    1. For Role name, enter a unique name for your role, such as AmazonEKSHybridNodesRole.

    2. For Description, replace the current text with descriptive text such as Amazon EKS - Hybrid Nodes role.

    3. Choose Create role.

Steps for AWS IAM Roles Anywhere

To use AWS IAM Roles Anywhere, you must set up your AWS IAM Roles Anywhere trust anchor before creating the Hybrid Nodes IAM Role. See Setup AWS IAM Roles Anywhere for instructions.

  1. Open the Amazon IAM console

  2. In the left navigation pane, choose Roles.

  3. On the Roles page, choose Create role.

  4. On the Select trusted entity page, do the following:

    1. In the Trusted entity type section, choose Custom trust policy. Paste the following into the Custom trust policy editor. Replace TRUST_ANCHOR ARN with the ARN of the trust anchor you created in the Setup AWS IAM Roles Anywhere steps. The condition in this trust policy restricts the ability of AWS IAM Roles Anywhere to assume the Hybrid Nodes IAM role to exchange temporary IAM credentials only when the role session name matches the CN in the x509 certificate installed on your hybrid nodes. You can alternatively use other certificate attributes to uniquely identify your node. The certificate attribute that you use in the trust policy must correspond to the nodeName you set in your nodeadm configuration. For more information, see the Hybrid nodes nodeadm reference.

      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "rolesanywhere.amazonaws.com"
            },
            "Action": [
                "sts:TagSession",
                "sts:SetSourceIdentity"
            ],
            "Condition": {
                "ArnEquals": {
                    "aws:SourceArn": "TRUST_ANCHOR_ARN"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "rolesanywhere.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:RoleSessionName": "${aws:PrincipalTag/x509Subject/CN}"
                },
                "ArnEquals": {
                    "aws:SourceArn": "TRUST_ANCHOR_ARN"
                }
            }
        }
    ]
}

    2. Choose Next.

  5. On the Add permissions page, attach a custom policy or do the following:

    1. In the Filter policies box, enter EKSDescribeClusterPolicy, or the name of the policy you created above. Select the check box to the left of your policy name in the search results.

    2. In the Filter policies box, enter AmazonEC2ContainerRegistryPullOnly. Select the check box to the left of AmazonEC2ContainerRegistryPullOnly in the search results.

    3. Choose Next.

  6. On the Name, review, and create page, do the following:

    1. For Role name, enter a unique name for your role, such as AmazonEKSHybridNodesRole.

    2. For Description, replace the current text with descriptive text such as Amazon EKS - Hybrid Nodes role.

    3. Choose Create role.