# Create A Aws Capi Cluster Using Aws Assume Role ## Pre-requisites for using Assume Role For Assume Role to work you need two AWS Accounts: 1. Source Account: The AWS account that Cluster API Provider AWS uses to assume a role in a Target AWS Account. 2. Target Account: The AWS account into which the role is assumed and where the actual Cluster Resources such as VPC, EC2 Instances etc are created. Note that the target account can also be the same as the source account if needed for some use cases. Steps: * Create the required CloudFormation Stack in both Source and TargetAccounts. Steps to create: * [**Download the CloudFormationStack template**](https://raw.githubusercontent.com/platform9/support-locker/master/pmk/aws-capi-cloudformation.template) required by PMK. * Follow the AWS prescribed steps to create CloudFormation Stack using the above template: . Name the CloudFormation Stack as `cluster-api-provider-aws-sigs-k8s-io.` * Once Created the stack should look like image shown below. All the IAM policies and roles required for CAPI clusters to work should get created.
* Create an AWS Cloud Provider in PMK using the Source Account mentioned above. * Follow [auto$](https://github.com/platform9/pcd-docs-gitbook/blob/main/kubernetes/add-aws-cloud-provider/README.md) to create it. * The Source Account User should have IAM policy permissions that enable it to perform sts:AssumeRole operation. * Source Account user ARN would be like: `"arn:aws:iam:::user/sourceaccountuser"` . {% tabs %} {% tab title="Bash" %} ```bash { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "*" } ] } ``` {% endtab %} {% endtabs %} * Create a AWS Role of type Custom Trust Policy in the Target Account to allow the source user to assume into it by setting a trust policy. * Note the role `"arn:aws:iam:::role/controllers.cluster-api-provider-aws.sigs.k8s.io"` is created in the step 1 of creating the CloudFormation Stack in the Source Account. {% tabs %} {% tab title="Bash" %} ```bash #pmk-source-user-trust-policy-role { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com", "AWS": [ "arn:aws:iam:::user/sourceaccountuser", "arn:aws:iam:::role/controllers.cluster-api-provider-aws.sigs.k8s.io" ] }, "Action": "sts:AssumeRole" } ] } ``` {% endtab %} {% endtabs %} Once created the the Target Role should look like:
## Creating the Cluster Using the resources created in pre-requisite steps, create the cluster. * Navigate to Infrastructure > Clusters * Click **Add Cluster** * Choose **Amazon Web Services** * Select **New Generation AWS Cluster** * Click **Start Configuration** * Enable the AWS Assume Role Toggle * Choose the already created Source Account Provider. * Enter the Target Role ARN Example:
Go to [auto$](https://github.com/platform9/pcd-docs-gitbook/blob/main/kubernetes/creating-aws-capi-clusters/README.md) for more details on further cluster creation steps. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.platform9.com/managed-kubernetes/5.8/aws-cluster-api/create-a-aws-capi-cluster-using-aws-assume-role.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.