You must replace the {placeholders} (including the curly braces that indicate them) with the

correct values for the region, AWS account_id, specific tm_iam_prefix, ARN and namespace

for your setup. You can optionally create the policy and role in a set path, rather than the root

path.

Classification | Confidential 45 © 2023 Thought Machine

# create the first policy, so that it can be used as a permissions boundary for the ↵

applications

aws iam create-policy --policy-name vault-role-permissions-boundary –-path

policy> --policy-document file://vault-role-permission-boundary.json

# create the second policy, so that it can be used as a permissions boundary for the Vault ↵

Installer

aws iam create-policy --policy-name vault-installer –path --policydocument file://vault-installer-policy.json

# create the Vault Installer role, referencing the second policy above as the permissions ↵

boundary

# Note: You must supply a trust relationship policy document; see the AWS documentation for ↵

the commands at the link above for more information

aws iam create-role --role-name vault-installer --assume-role-policy-document file://trustrelationship.json --permissions-boundary

# attach the policy as an inline policy, so that the Vault Installer inherits the permissions ↵

that it needs

aws iam put-role-policy –role-name vault-installer –policy-name vault-installer -policydocument file://vault-installer-policy.json

# annotate the Vault Installer Service Account with the ARN of its IAM Role (when the TM ↵

Service Account is deployed)

kubectl annotate serviceaccount -n $namespace vault-installer eks.amazonaws.com/rolearn=arn:aws:iam::$account_id:role/vault-installer