Creating a Service Account for the EBS CSI Driver on EKS

When using Kubernetes EKS v1.23 or higher with Amazon FSX or EFS, you need to configure a few management and security updates. The steps below will:

  • Create a service account named ebs-csi-controller-sa on your Kubernetes cluster (EKS), under the kube-system namespace.
  • Assign the service account with an IAM role that contains the relevant permissions.

This is not required if you deployed EKS cluster v1.23 or higher using the Sisense script in Deployment Script for Sisense on Amazon EKS.
If you used the script to deploy an older version of EKS and then upgraded to v1.23 or higher, you need to perform the instructions on this page.


The following are required before performing the steps to set up your management and security updates:

  • The EKS cluster using version 1.23 or higher on AWS must be deployed.
  • From a Bash shell, you need to be connected to your AWS account.
  • You need to be connected to your EKS cluster. That is, you need to be able to run kubectl commands on it.
  • The eksctl binary file must be installed. You can install it as follows:
    ## Installing eksctl
    if ! command -v eksctl &> /dev/null; then
        curl --silent --location "$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
        sudo mv /tmp/eksctl /usr/local/bin
        source <(eksctl completion bash) 2>/dev/null

Configuring the Management and Security Updates via the Sisense Script

The management and security updates can be installed via the Sisense script.

# export CLUSTER=<your EKS cluster name>
# Example below:
export CLUSTER=my-eks-cluster

curl --create-dirs --output ./ebs-csi-driver/
chmod 755 ./ebs-csi-driver/
./ebs-csi-driver/ ${CLUSTER}

Configuring the Management and Security Updates Manually

To configure the management and security updates manually:

  1. Set up your variables, and download the policy document JSON file:
    # Must be "kube-system" hard coded

    # Must be "ebs-csi-controller-sa" hard coded

    eks_name=<your EKS cluster name>
    policy_name=<whichever IAM Policy name you wish to create>
    role_name=<whichever IAM Role name you wish to create>

    account_id=$(aws sts get-caller-identity --query "Account" --output text)
    oidc_provider=$(aws eks describe-cluster --name ${eks_name} --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")

    curl --create-dirs --output ${policy_file}
  2. Create the IAM OIDC provider for your EKS cluster via the command:
    eksctl utils associate-iam-oidc-provider --cluster ${eks_name} --approve
  3. Create the service account in you Kubernetes cluster via the command:
    kubectl create serviceaccount ${service_account} -n ${namespace}
  4. Add the following labels and annotations for the service account:
    kubectl -n ${namespace} label sa ${service_account} \ \

    kubectl -n ${namespace} annotate sa ${service_account} \ \
  5. Create the IAM policy in AWS, with the permissions from the policy JSON file via the command:
    aws iam create-policy --policy-name ${policy_name} --policy-document file://${policy_file}
  6. Create the trust relationship document by copying the text below and pasting it in your Bash shell:
    cat >${PWD}/trust-relationship.json <<EOF
      "Version": "2012-10-17",
      "Statement": [
          "Effect": "Allow",
          "Principal": {
            "Federated": "arn:aws:iam::${account_id}:oidc-provider/${oidc_provider}"
          "Action": "sts:AssumeRoleWithWebIdentity",
          "Condition": {
            "StringEquals": {
              "${oidc_provider}:aud": ""
  7. Create the IAM role in AWS, and assume it to the trusted OIDC provider above via the command:
    aws iam create-role --role-name ${role_name} --assume-role-policy-document file://${PWD}/trust-relationship.json --description "eks-ebs-driver for EKS cluster"
  8. Attach the IAM policy to the IAM role you just created via the command:
    aws iam attach-role-policy --role-name ${role_name} --policy-arn=arn:aws:iam::${account_id}:policy/${policy_name}
  9. Bind the IAM role with the relevant permissions to the service account created via the command:
    kubectl annotate serviceaccount -n ${namespace} ${service_account}${account_id}:role/${role_name}

Verifying that the Service Account is Configured Correctly

To verify that the service account is configured correctly, run the command:
kubectl -n kube-system get serviceaccount ebs-csi-controller-sa -o yaml

If the service account is configured correctly, you should see output that is similar to the following:

apiVersion: v1
kind: ServiceAccount
  annotations: arn:aws:iam::123456789012:role/your-iam-role-name aws-ebs-csi-driver kube-system
  creationTimestamp: "2022-10-03T14:31:43Z"
  labels: Helm aws-ebs-csi-driver
  name: ebs-csi-controller-sa
  namespace: kube-system
  resourceVersion: "2998"
  uid: 2d13f618-e88f-40b8-8f14-742897467b5c
- name: ebs-csi-controller-sa-token-nhxd5

If all is correct, continue with the Sisense installation or upgrade.