Eksctl: Attach IAM policy after EKS cluster created

So, the options that I know of currently are to modify:

1. the IAM role and attach the policy / policies to the roles.
2. download the cloudformation templates from the running stacks and make the changes and update the stack for each one.

Is there an eksctl option to update the cluster for IAM policies that would update the stack so manual updates would not be required?

Hi @jrgwv, did you ever got any solution for this?

For me, the only way to do this is by running the aws-cli iam attach-role-policy command
e.g

aws iam attach-role-policy \
--policy-arn arn:aws:iam::123456789000:policy/some_IAM_policy_to_apply \
--role-name eks-node-to-apply

Note that the --role-name is the nodes role name which you can retrieve via this command:
kubectl -n kube-system describe configmap aws-auth, and you will need to run the attach-role-policy for each of the nodes in the cluster.

I myself not sure whether eksctl or kubectl can add IAM policy for existing cluster, since once the cluster is created e.g using eksctl create cluster -f custom-cluster.yaml, you can't update it, unless you create a new nodegroups into the same cluster with the IAM role added in the custom-cluster.yaml config and then once the new nodegroups are up, you can remove the old ones.

Hope it helps.

Also wondering if there is an answer to this. I want to be able to give my developers a flow where they can:
1) Create a Kubernetes microservice with an IAM policy defined
2) Update the iam policy over time

Currently it doesn't look like eksctl supports updating the iam policy over time without deleting and recreating it?

Related to #1497

I am using eksctl version Info{BuiltAt:"", GitCommit:"", GitTag:"0.5.3"}'
and I have created a couple of clusters in AWS EKS Kubernetes version 1.13.
On one of these clusters I did not edit the iam section to include attachPolicyARNs:

• arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore

iam.attachPolicyARNs is a nodegroup field, and eksctl does not support updating a nodegroup after it has been created (barring some properties like the scaling config).

My question is how can I apply an existing policy to an existing cluster without deleting and recreating the cluster?

You don't need to delete and recreate the cluster to update the IAM policies for a nodegroup. You only need to delete and recreate that nodegroup with the new policies. If you cannot afford deleting the nodegroup, you'll have to update the nodegroup's CloudFormation stack manually to include the new policies in the NodeInstanceRole resource.

Related to #1497

@mike-stewart for clarity, the issue you linked to is for updating the policies of an IAM role that's used to assign fine-grained roles at the pod level. This issue is for updating the policies of the IAM role that's attached at the node level.

Closing, a solution has been posted and further support for this kind of workflow/update falls under the umbrella of https://github.com/weaveworks/eksctl/issues/984/ /eksctl update