https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# general
s
This message was deleted.
d
@white-balloon-205 @microscopic-florist-22719 @gentle-diamond-70147
w
The CloudFormation template referred to in that article will always create the same 
InstanceRole
for each NodeGroup, but you are right that it creates one copy of the role for each NodeGroup. The 
@pulumi/eks
package does create one for the Cluster which it shares across NodeGroups. We could probably change that to allow creating one per NodeGroup instead - which would be closer to the EKS docs. This shouldn't have much impact though unless you are changing this out-of-band of Pulumi/CloudFormation though. Is there a particular reason this was important for you?
Also cc @breezy-hamburger-69619
d
So the scenario is that this node group has powerful IAM policies to assume any role almost admin like, so they need to be dedicated nodes..Because as of now If I attach policies to the existing shared role it essentially gets attached to all nodes..which is not secure
So what I want to do is spin up the node group, create my IAM policies and attach only to this node group IAM role and not any other through pulumi
w
Got it - that makes sense. I'll open an issue to track making this role per-nodegroup.
🙂 1
d
@white-balloon-205 Thinking a bit further, currently is there a way that the instance role is exposed ? I didnt find that..So with the above we would need a way to get iam role for the given node group as well..Do you agree ? or there is a workaround to this ?
w
Yeah - the instance role is available at 
cluster.instanceRole
I believe. We’ll need to expose it also on the individual 
NodeGroup
as part of improving this.
d
cluster.instanceRole
is unfortunately the service role and not the IAM role
w
Ahh - let me check.
d
I found this: 
cluster.core.instanceProfile.arn
But that is the instanceProfile of the default Node group again..I don't know how to get the instanceRole from there..might need some weird string substitutions
w
No - 
cluster.instanceRole
does appear to be the instance profile role. Why did you think otherwise? Our docs? Or something didn’t work as you expected?
d
Yes the doc description says service role used by EKS which is actually a role which EKS uses where the trust relationship is eks.amazonaws.com
w
I think the documentation is wrong (or really just a bit misleading in using the term "service" - technically both of these are "service" roles, but for two different services (EC2 and EKS)). In practice, this is here - and is indeed the EC2 role for the instances: https://github.com/pulumi/eks/blob/976c33bb385d5ac1d2447fcf2c3d9e48d7eeca23/nodejs/eks/cluster.ts#L190-L191
The EKS service role is actually not exposed currently (and I don't know of a scenario where that is needed).
d
Yup. I don't think that EKS service role is required ever..
Just a bit misleading, thanks for the info
Open in Slack
PreviousNext
Powered by