AWS Role Credentials

Configure an AWS Cloud Provider with a User Role

Configure an AWS Cloud Provider with a User Role

IMPORTANT: We highly recommend using the Role-based method as this is more secure.

NOTE: The Role authentication method can only be used if your management cluster is running in AWS.

For more flexible credential configuration, we offer a role-based authentication method with an optional External ID for third party access.

The role should grant permissions to create the following resources in the AWS account:

  • EC2 Instances
  • VPC
  • Subnets
  • Elastic Load Balancer (ELB)
  • Internet Gateway
  • NAT Gateway
  • Elastic Block Storage (EBS) Volumes
  • Security Groups
  • Route Tables
  • IAM Roles

The user you delegate from your role must have a minimum set of permissions. Below is the minimal IAM policy required:

  "Version": "2012-10-17",
  "Statement": [
      "Sid": "Kommander",
      "Effect": "Allow",
      "Action": [
      "Resource": "*"

To use this option attach the following policy to the role attached to your Kommander cluster.

  "Version": "2012-10-17",
  "Statement": [
      "Sid": "AssumeRoleKommander",
      "Effect": "Allow",
      "Action": "sts:AssumeRole",

Instead of doing this manually you can add this file,, into the extras/provisioner/ directory next to your cluster.yaml file.

# Attaching sts:AssumeRole to the default node role from konvoy
resource "aws_iam_role_policy" "agent_policy_assumerole_kommander" {
  count = "${var.create_iam_instance_profile ? 1 : 0}"
  name  = "AssumeRoleKommander"
  role  = "${}"
  policy = <<EOF
    "Version": "2012-10-17",
    "Statement": [
            "Sid": "AssumeRoleKommander",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::YOURACCOUNTRESTRICTION:role/THEROLEYOUCREATED"

Refer to the AWS documentation for creating a role for an IAM User

In Kommander, select the Workspace associated with the credentials you are adding.

Navigate to Administration > Cloud Providers and click the Add Cloud Provider button.

Add Cloud Provider

  • Select the Amazon Web Services (AWS) option from the Add Cloud Provider.
  • Ensure “Static” is selected as the Authentication Method.
  • Select a name for your cloud provider. Consider choosing a name that matches the AWS user.
  • Enter the Role ARN.
  • You can add an External ID if you share the Role with a 3rd party. External IDs secure your environment from accidentally used roles. Here you can read more about External IDs.