Setting up Cloud Providers - Setting up the Amazon Cloud Provider - 《Rancher 2.5.7-2.5.8 Documentation》

Using Amazon Elastic Container Registry (ECR)

Load Balancers: Launches an AWS Elastic Load Balancer (ELB) when choosing Layer-4 Load Balancer in Port Mapping or when launching a Service with type: LoadBalancer.
Persistent Volumes: Allows you to use AWS Elastic Block Stores (EBS) for persistent volumes.

See for all information regarding the Amazon cloud provider.

To set up the Amazon cloud provider,

Create an IAM role and attach to the instances

All nodes added to the cluster must be able to interact with EC2 so that they can create and remove resources. You can enable this interaction by using an IAM role attached to the instance. See Amazon documentation: Creating an IAM Role how to create an IAM role. There are two example policies:

The first policy is for the nodes with the controlplane role. These nodes have to be able to create/remove EC2 resources. The following IAM policy is an example, please remove any unneeded permissions for your use case.
The second policy is for the nodes with the etcd or worker role. These nodes only have to be able to retrieve information from EC2.

While creating an , you must fill in the IAM Instance Profile Name (not ARN) of the created IAM role when creating the Node Template.

IAM Policy for nodes with the controlplane role:

IAM policy for nodes with the etcd or worker role:

{
    {
        "Effect": "Allow",
        "Action": [
            "ec2:DescribeInstances",
            "ec2:DescribeRegions",
            "ecr:GetAuthorizationToken",
            "ecr:BatchCheckLayerAvailability",
            "ecr:GetDownloadUrlForLayer",
            "ecr:DescribeRepositories",
            "ecr:ListImages",
        ],
        "Resource": "*"
    }
]
}

The following resources need to tagged with a ClusterID:

Nodes: All hosts added in Rancher.
Security Group: The security group used for your cluster.

Use the following tag:

Key = kubernetes.io/cluster/CLUSTERID Value = owned

CLUSTERID can be any string you like, as long as it is equal across all tags set.

Setting the value of the tag to owned tells the cluster that all resources with this tag are owned and managed by this cluster. If you share resources between clusters, you can change the tag to:

The kubelet component has the ability to automatically obtain ECR credentials, when the IAM profile mentioned in Create an IAM Role and attach to the instances is attached to the instance(s). When using a Kubernetes version older than v1.15.0, the Amazon cloud provider needs be configured in the cluster. Starting with Kubernetes version v1.15.0, the kubelet can obtain ECR credentials without having the Amazon cloud provider configured in the cluster.