Skip to main content
Version: 6.16.0

AWS: Creating IAM Roles & Policies

An IAM Role is like a set of permissions that can be created and used when needed. It is similar to a user account, but it is not tied to a single person; instead, anyone who needs it can use it. Unlike regular user accounts, roles do not have passwords or long-term access keys; instead, when someone uses a role, they get temporary access for a short time in order to complete their tasks.

IAM policies are like rules that say what a person is allowed to do, no matter how they do it. For example, if the rule says someone can view user info, they can do this via several means: through the website, a command line tool, or by using code.

IAM Role

1: Create an IAM Role

We will create a role that EC2 instances can assume, granting them permissions suitable for integration with Amazon EKS.

  1. Access the IAM Console:

  2. Create the IAM Role:

    • In the navigation pane, choose "Roles."
    • Click on "Create role."
    • Under "Trusted entity type," select "AWS service."
    • For the use case, choose "EC2" to allow EC2 instances to assume this role.
    • Click "Next."

  3. Attach Policies:

    • Attach the necessary policies that grant permissions for EKS operations. For example:

      • AmazonEKSWorkerNodePolicy
      • AmazonEC2ContainerRegistryReadOnly
      • AmazonEKS_CNI_Policy

    • Click "Next."

  4. Name and Create the Role:

    • Provide a role name (e.g., EKSNodeRole).
    • Review the settings and click "Create role."

IAM Policy

1: Navigate to Roles

  • In the left-hand menu, click Roles.
  • This page lists all the roles already created in your AWS account.

2: Select the Role

  • Click on the name of the role you want to attach the policy to.

3: Attach a Policy

  • Inside the role’s details page, scroll down to the Permissions section.
  • Click Add permissions → then choose Attach policies directly.

4: Use JSON to Create a Custom Policy

  • Click Create policy (this will open in a new tab).
  • Choose the JSON tab.
  • Paste a custom JSON policy from the provided IAM Policies
  • Click Next, give it the provided name, and click Create policy.
  • Repeat for all policies in the provided list

5: Attach Your Policy

  • Back in the tab where you were adding permissions to the role, search for the name of the policies you just created.
  • Check the box next to it.
  • Click Next, then Add permissions.

Non-Root User

1: Create a User to log in as

  • Go to IAMUsersAdd user
  • Name: admin-user
  • Permissions: Attach existing policies → AdministratorAccess
  • Sign in with this new IAM user (not root)
  • Go back to EC2 → select instance → Connect → EC2 Instance Connect should now work