Authenticating the agent on AWS EKS

If your agent runs on an AWS EKS cluster, you can leverage these methods to assign an AWS IAM role to your env0 deployments.

Using the Node Role

The Node Role is the IAM Role assigned to the EC2 Instances that serve as nodes to your EKS cluster. You can use that role directly - by giving it permissions - or assume a different role from that role. More details can be found in the EKS User Guide.


Node IAM Roles

Please note - if you are using AWS EKS and do not wish to use the Node IAM Role, you will need to specifically restrict the access to it. More details can be found here.

Using IAM roles for service accounts

You can associate an IAM role with a Kubernetes Service Account (KSA). The KSA that will be used by env0 is the default KSA under the env0-agent namespace.

You'll need to follow the AWS guide - How to enable service accounts to access AWS resources. The SERVICE_ACCOUNT_NAMESPACE will be env0-agent and the SERVICE_ACCOUNT_NAME will be default.

If you override these parameters in your installation, please make sure to use the correct values.


Assume Role Deploy Credentials Duration

Please note that using IAM Service Accounts to "Assume Role Deploy Credentials" means the assumed session will only be valid for an hour - as "role chaining" on AWS is limited to one hour.