05. Create an EKS Cluster and IAM Role

Create an EKS Cluster and IAM Role

Before you can deploy your application, you will need to create an EKS cluster and set up an IAM role that CodeBuild can use to interact with EKS. You can follow the steps below to do this from the command line.

Create a Kubernetes (EKS) Cluster

  • Create an EKS cluster named simple-jwt-api .

Set Up an IAM Role for the Cluster

The next steps are provided to quickly set up an IAM role for your cluster.

  1. Create an IAM role that CodeBuild can use to interact with EKS. :

    • Set an environment variable ACCOUNT_ID to the value of your AWS account id. You can do this with awscli:
      bash ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
    • Create a role policy document that allows the actions "eks:Describe*" and "ssm:GetParameters". You can do this by setting an environment variable with the role policy:
      bash TRUST="{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Allow\", \"Principal\": { \"AWS\": \"arn:aws:iam::${ACCOUNT_ID}:root\" }, \"Action\": \"sts:AssumeRole\" } ] }"
    • Create a role named 'UdacityFlaskDeployCBKubectlRole' using the role policy document:
      bash aws iam create-role --role-name UdacityFlaskDeployCBKubectlRole --assume-role-policy-document "$TRUST" --output text --query 'Role.Arn'
    • Create a role policy document that also allows the actions "eks:Describe*" and "ssm:GetParameters". You can create the document in your tmp directory:
      bash echo '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "eks:Describe*", "ssm:GetParameters" ], "Resource": "*" } ] }' > /tmp/iam-role-policy
    • Attach the policy to the 'UdacityFlaskDeployCBKubectlRole'. You can do this using awscli:
      bash aws iam put-role-policy --role-name UdacityFlaskDeployCBKubectlRole --policy-name eks-describe --policy-document file:///tmp/iam-role-policy
      You have now created a role named 'UdacityFlaskDeployCBKubectlRole'
  2. Grant the role access to the cluster.
    The 'aws-auth ConfigMap' is used to grant role based access control to your cluster.

    • Get the current configmap and save it to a file:
      bash kubectl get -n kube-system configmap/aws-auth -o yaml > /tmp/aws-auth-patch.yml
    • In the data/mapRoles section of this document add, replacing <ACCOUNT_ID> with your account id: ```yml
      • rolearn: arn:aws:iam:: :role/UdacityFlaskDeployCBKubectlRole username: build groups:
        • system:masters
          ```
    • Now update your cluster's configmap:
      bash kubectl patch configmap/aws-auth -n kube-system --patch "$(cat /tmp/aws-auth-patch.yml)"

Concept Checklist

Task List:

Task Feedback:

Well done! You have almost finished the process of deploying your application. Up next, you will do exactly that, using CodePipeline and CodeBuild.