Authenticating the agent on AWS EKS

If your agent runs on an AWS EKS cluster, you can leverage these methods to assign an AWS IAM role to your env0 deployments.

Using Node Role

Node Role is the IAM Role assigned to the EC2 Instances that serve as nodes to your EKS cluster. You can use that role directly - by giving it permission - or assume a different role from that role. More details can be found in the EKS User Guide.

🚧

Node IAM Roles

Please note - if you are using AWS EKS and do not wish to use the Node IAM Role, you will need to restrict access to it specifically. More details can be found here.

Using IAM Roles for Service Accounts

By default, env0 uses the default service account within the env0-agent namespace.

To specify a different service account or namespace, you can set the SERVICE_ACCOUNT_NAME and SERVICE_ACCOUNT_NAMESPACE environment variables in env0.

For detailed steps on configuring a new service account, refer to this AWS guide.

🚧

Assume Role Deploy Credentials Duration

Please note that using IAM Service Accounts to "Assume Role Deploy Credentials" means the assumed session will only be valid for an hour - as "role chaining" on AWS is limited to one-hour.