If your agent runs on an AWS EKS cluster, you can leverage these methods to assign an AWS IAM role to your env0 deployments.
The Node Role is the IAM Role assigned to the EC2 Instances that serve as nodes to your EKS cluster. You can use that role directly - by giving it permissions - or assume a different role from that role. More details can be found in the EKS User Guide.
Node IAM Roles
Please note - if you are using AWS EKS and do not wish to use the Node IAM Role, you will need to specifically restrict the access to it. More details can be found here.
You can associate an IAM role with a Kubernetes Service Account (KSA). The KSA that will be used by env0 is the
default KSA under the
You'll need to follow the AWS guide - How to enable service accounts to access AWS resources. The
SERVICE_ACCOUNT_NAMESPACE will be
env0-agent and the
SERVICE_ACCOUNT_NAME will be
If you override these parameters in your installation, please make sure to use the correct values.
Assume Role Deploy Credentials Duration
Please note that using IAM Service Accounts to "Assume Role Deploy Credentials" means the assumed session will only be valid for an hour - as "role chaining" on AWS is limited to one hour.
Updated almost 2 years ago