The official AWS EKS user guide guides users to create their cluster using the official eksctl tool.

If you wish to make use of Garden's In-Cluster Building feature that leverages more-powerful remote Kubernetes clusters for image building, you'll need to pass a few additional flags to eksctl.


The following command will create an EKS cluster with a managed node group using any AWS instances that meet the criteria of 4 vCPUs and 16 GiB of memory. It uses IAM Roles for Service Accounts (IRSA) to attach a policy to the cluster allowing power user access to AWS' Elastic Container Registry. Visit the docs for more details on the AmazonEC2ContainerRegistryPowerUser policy.

eksctl create cluster -f - <<EOF
kind: ClusterConfig

  name: $USER-cluster
  region: $AWS_REGION

- name: mng
    vCPUs: 4
    memory: 16

  withOIDC: true
  - metadata:
      name: ecr-poweruser
      # set namespace to your developer namespace
      namespace: $USER-dev
    - "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser"

Finally, configure Garden to annotate your in-cluster pods with the correct Amazon Resource Name by following Garden's In-Cluster Building guide.


IAM users or roles need the following AWS permissions to interact with your EKS cluster: eks:DescribeCluster eks:AccessKubernetesApi

You can select these when creating the policy through the UI, or with this JSON version:

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": [
            "Resource": "<arn identifier>"

You will also need a Kubernetes role and service account in the EKS cluster. This can be achieved with the aws-auth configmap. The instructions are documented here. If you are interested in minimizing the permissions in the cluster, please take a look at our Kubernetes RBAC guide.

Last updated