As I didn't find anything about that topic, I'll create it as feature request, but it might be you already have this on your agenda.
What feature/behavior/change do you want?
Please add support for AmazonEBSCSIDriverEKSClusterScopedPolicy when eksctl provisions IAM permissions for EBS on nodegroups via:
nodeGroups:
- name: ng-1
iam:
withAddonPolicies:
ebs: trueToday, eksctl can set up EBS-related IAM permissions through withAddonPolicies.ebs, but AWS now recommends migrating away from the broader AmazonEBSCSIDriverPolicy to newer least-privilege policies. For EKS, the most relevant one is:
- AmazonEBSCSIDriverEKSClusterScopedPolicy
It would be helpful if eksctl could:
- Use AmazonEBSCSIDriverEKSClusterScopedPolicy instead of the legacy AmazonEBSCSIDriverPolicy when nodeGroups[].iam.withAddonPolicies.ebs: true is configured.
- Document this behavior and the required migration steps.
- Warn users if the legacy policy remains attached, because keeping both policies would leave the broader permissions in effect.
Expected result: when eksctl creates or updates the IAM permissions behind withAddonPolicies.ebs, it should support the newer cluster-scoped managed policy instead of leaving users on the broader legacy permissions model.
Why do you want this feature?
AWS sent an account health notification recommending migration away from AmazonEBSCSIDriverPolicy to newer managed policies that better follow least-privilege best practices.
For our use case, AmazonEBSCSIDriverEKSClusterScopedPolicy is the better fit because it:
- restricts access to resources belonging to a specific EKS cluster,
- reduces the risk of cross-cluster access,
- aligns with AWS guidance,
- and improves the security posture of nodegroups configured through eksctl.
Right now, if eksctl sets up the IAM permissions through nodeGroups[].iam.withAddonPolicies.ebs: true, users still need manual follow-up work to move to the newer policy model. That makes rollout and maintenance harder and more error-prone. Also we're regularly recreating our nodegroups with new AMIs so this would automatically then move to the new permission model.
This is especially relevant because AWS describes the migration as a breaking change for some static provisioning scenarios. First-class support in eksctl would make adoption safer, clearer, and easier to manage.
As I didn't find anything about that topic, I'll create it as feature request, but it might be you already have this on your agenda.
What feature/behavior/change do you want?
Please add support for
AmazonEBSCSIDriverEKSClusterScopedPolicywheneksctlprovisions IAM permissions for EBS on nodegroups via:Today, eksctl can set up EBS-related IAM permissions through withAddonPolicies.ebs, but AWS now recommends migrating away from the broader AmazonEBSCSIDriverPolicy to newer least-privilege policies. For EKS, the most relevant one is:
It would be helpful if eksctl could:
Expected result: when eksctl creates or updates the IAM permissions behind withAddonPolicies.ebs, it should support the newer cluster-scoped managed policy instead of leaving users on the broader legacy permissions model.
Why do you want this feature?
AWS sent an account health notification recommending migration away from AmazonEBSCSIDriverPolicy to newer managed policies that better follow least-privilege best practices.
For our use case, AmazonEBSCSIDriverEKSClusterScopedPolicy is the better fit because it:
Right now, if eksctl sets up the IAM permissions through nodeGroups[].iam.withAddonPolicies.ebs: true, users still need manual follow-up work to move to the newer policy model. That makes rollout and maintenance harder and more error-prone. Also we're regularly recreating our nodegroups with new AMIs so this would automatically then move to the new permission model.
This is especially relevant because AWS describes the migration as a breaking change for some static provisioning scenarios. First-class support in eksctl would make adoption safer, clearer, and easier to manage.