https://pulumi.com logo
d

damp-book-35965

03/22/2019, 4:52 PM
When launching through pulumi, can I configure that ? I don't see an option to do that
@white-balloon-205 @microscopic-florist-22719 @gentle-diamond-70147
w

white-balloon-205

03/22/2019, 5:38 PM
The CloudFormation template referred to in that article will always create the same
InstanceRole
for each NodeGroup, but you are right that it creates one copy of the role for each NodeGroup. The
@pulumi/eks
package does create one for the Cluster which it shares across NodeGroups. We could probably change that to allow creating one per NodeGroup instead - which would be closer to the EKS docs. This shouldn't have much impact though unless you are changing this out-of-band of Pulumi/CloudFormation though. Is there a particular reason this was important for you?
Also cc @breezy-hamburger-69619
d

damp-book-35965

03/22/2019, 5:53 PM
So the scenario is that this node group has powerful IAM policies to assume any role almost admin like, so they need to be dedicated nodes..Because as of now If I attach policies to the existing shared role it essentially gets attached to all nodes..which is not secure
So what I want to do is spin up the node group, create my IAM policies and attach only to this node group IAM role and not any other through pulumi
w

white-balloon-205

03/22/2019, 5:54 PM
Got it - that makes sense. I'll open an issue to track making this role per-nodegroup.
🙂 1
d

damp-book-35965

03/22/2019, 8:43 PM
@white-balloon-205 Thinking a bit further, currently is there a way that the instance role is exposed ? I didnt find that..So with the above we would need a way to get iam role for the given node group as well..Do you agree ? or there is a workaround to this ?
w

white-balloon-205

03/22/2019, 8:45 PM
Yeah - the instance role is available at
cluster.instanceRole
I believe. We’ll need to expose it also on the individual
NodeGroup
as part of improving this.
d

damp-book-35965

03/22/2019, 8:45 PM
cluster.instanceRole
is unfortunately the service role and not the IAM role
w

white-balloon-205

03/22/2019, 8:46 PM
Ahh - let me check.
d

damp-book-35965

03/22/2019, 8:49 PM
I found this:
cluster.core.instanceProfile.arn
But that is the instanceProfile of the default Node group again..I don't know how to get the instanceRole from there..might need some weird string substitutions
w

white-balloon-205

03/22/2019, 8:49 PM
No -
cluster.instanceRole
does appear to be the instance profile role. Why did you think otherwise? Our docs? Or something didn’t work as you expected?
d

damp-book-35965

03/22/2019, 8:53 PM
Yes the doc description says service role used by EKS which is actually a role which EKS uses where the trust relationship is eks.amazonaws.com
w

white-balloon-205

03/22/2019, 9:02 PM
I think the documentation is wrong (or really just a bit misleading in using the term "service" - technically both of these are "service" roles, but for two different services (EC2 and EKS)). In practice, this is here - and is indeed the EC2 role for the instances: https://github.com/pulumi/eks/blob/976c33bb385d5ac1d2447fcf2c3d9e48d7eeca23/nodejs/eks/cluster.ts#L190-L191
The EKS service role is actually not exposed currently (and I don't know of a scenario where that is needed).
d

damp-book-35965

03/22/2019, 9:07 PM
Yup. I don't think that EKS service role is required ever..
Just a bit misleading, thanks for the info