Amazon Web Services

Caution

AWS credentials are required to access clusters. These credentials are sensitive information and must be kept secure.

Authentication Methods

Environment Variables

Set the following environment variables:

export AWS_ACCESS_KEY_ID=""
export AWS_SECRET_ACCESS_KEY=""

Command Line Interface

Use the ksctl credential manager:

ksctl cred

Available Cluster Types

Highly Available (HA) Clusters

Self-managed clusters with the following components:

Distributed etcd database instances
HAProxy load balancer for control plane high availability
Multiple control plane nodes
Worker nodes

Choose between two bootstrap options:

k3s (lightweight Kubernetes distribution)
kubeadm (official Kubernetes bootstrap tool)

Amazon EKS (Managed Clusters)

Elastic Kubernetes Service deployment with automated:

IAM role creation and management
Control plane setup
Node group configuration

IAM Configuration

For each cluster, ksctl creates two roles:

ksctl-<clustername>-wp-role: Manages node pool permissions
ksctl-<clustername>-cp-role: Handles control plane access

Required IAM Policies

Custom IAM Role Access Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor6",
            "Effect": "Allow",
            "Action": [
                "iam:CreateInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:GetRole",
                "iam:GetInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy",
                "iam:ListInstanceProfiles",
                "iam:AddRoleToInstanceProfile",
                "iam:ListInstanceProfilesForRole",
                "iam:PassRole",
                "iam:CreateServiceLinkedRole",
                "iam:DetachRolePolicy",
                "iam:DeleteRolePolicy",
                "iam:DeleteServiceLinkedRole",
                "iam:GetRolePolicy",
                "iam:SetSecurityTokenServicePreferences"
            ],
            "Resource": [
                "arn:aws:iam::*:role/ksctl-*",
                "arn:aws:iam::*:instance-profile/*"
            ]
        }
    ]
}

Custom EKS Access Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "eks:ListNodegroups",
                "eks:ListClusters",
                "eks:*"
            ],
            "Resource": "*"
        }
    ]
}

AWS Managed Policies Required

AmazonEC2FullAccess
IAMReadOnlyAccess

Kubeconfig Authentication

After switching to an AWS cluster using:

ksctl switch aws --name here-you-go --region us-east-1

The generated kubeconfig uses AWS STS tokens which expire after 15 minutes. When you encounter authentication errors, simply run the switch command again to refresh the credentials.

Looking for CLI Commands?

All CLI commands mentioned in this documentation have detailed explanations in our command reference guide.

CLI Reference

👉 Check out our comprehensive CLI Commands Reference for:

Detailed command syntax
Usage examples
Available options and flags
Common use cases

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified December 7, 2024: patched the documentation on the cloud provider (84a2902)