No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Screenshot 2021-12-15 at 12.16.51.png

When i write something like:
```const sesPolicy = JSON.stringify({
  Version: '2012-10-17',
  Statement: [{
    Sid: 'EksClusterSesPermissions',
    Action: ['ses:*'],
    Effect: 'Allow',
    Resource: '*'
  }]
});
const clusterRole = new aws.iam.Role('cluster-role', {
  name: 'my-cluster-role',
  assumeRolePolicy: sesPolicy
});

const cluster = new eks.Cluster('cluster', {
  name: 'my-eks-cluster',
  vpcId: vpc.id,
  publicSubnetIds: vpc.publicSubnetIds,
  privateSubnetIds: vpc.privateSubnetIds,
  desiredCapacity: 2,
  minSize: 1,
  maxSize: 3,
  instanceRole: clusterRole
});```
And run `pulumi preview` command I get the following output (image below) like I would loose existing node roles which are applied to cluster nodes by default. Will that effect anything?

Other solution that seems to work is this:
```
const sesPolicy = new aws.iam.Policy('ses-policy', {
  description: 'EKS cluster SES permissions',
  policy: JSON.stringify({
    Version: '2012-10-17',
    Statement: [{
      Sid: 'EksClusterSesPermissions',
      Action: ['ses:*'],
      Effect: 'Allow',
      Resource: '*'
    }]
  })
});

const cluster = new eks.Cluster('cluster', {
  name: 'my-eks-cluster',
  vpcId: vpc.id,
  publicSubnetIds: vpc.publicSubnetIds,
  privateSubnetIds: vpc.privateSubnetIds,
  desiredCapacity: 2,
  minSize: 1,
  maxSize: 3
});

cluster.instanceRoles.apply(attachSesPolicy);

function attachSesPolicy(roles) {
  const [role] = roles;
  const attachment = new aws.iam.RolePolicyAttachment('ses-policy-attach', {
    role: role.name,
    policyArn: sesPolicy.arn
  });
}```
With this approach only will ses policy be added and no roles will be deleted as with the approach 1 i posted above

The policy is wrong. The assume policy is not what actually gives the permissions to perform action

The assume policy should be something like
```{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": { "Service": "<http://ec2.amazonaws.com|ec2.amazonaws.com>"},
      "Action": "sts:AssumeRole"
    }
  ]
}```

and them you create the actual role with `iam.Policy`and them attach it with `iam.RolePolicyAttachment`

here you can find some examples <https://github.com/jaxxstorm/pulumi-examples/blob/67c1de79b9b5ed59ad4bdd9247e4298df8a44164/typescript/aws/eks-platform/alb-ingress-controller/index.ts|https://github.com/jaxxstorm/pulumi-examples/blob/67c1de79b9b5ed59ad4bdd9247e4298d[…]164/typescript/aws/eks-platform/alb-ingress-controller/index.ts>

the purpose of the role is different, but the idea is the same

Once, when it's created, how to attach that role to the eks cluster? are you using instanceRole property or instanceRoles? `instanceRoles` reuqires instance profile to be specified

That depends, you might not need it at all. Depends on how you are setting your node groups

I, particularly, only use fargate, so I only set fargate profiles