LogoLogo
  • Welcome to Release
  • Getting started
    • Quickstart
    • Create an account
    • Prepare to use Release
    • Create an application
      • Create custom application
      • Create from template
      • Servers vs runnables
    • Create an environment
  • Guides and examples
    • Domains and DNS
      • Manage domains
      • DNS and nameservers
        • Configure GoDaddy
        • Configure Cloudflare
        • Configure Namecheap
        • Other DNS hosts
      • Routing traffic
    • Example applications
      • Full stack voting app
      • Flask and RDS counter app
      • Static site with Gatsby
      • Golang with Postgres and Nginx
      • WordPress with MySQL
      • Spring and PostgreSQL
      • Terraform and Flask
      • OpenTelemetry demo
      • Load balancer with hostname
      • Static JavaScript service
      • SSH bastion access to services
      • ngrok and OAuth for private tunnels
      • Using OAuth Proxy
      • Hybrid Docker and static site
      • App Imports: Connecting two applications
      • Example library
    • Running instances
      • Cron jobs
      • Jobs
      • Using Helm charts
      • Using terminal
      • Viewing logs
      • Troubleshooting
        • ImagePullBackoff error
        • CrashLoopBackoff error
        • Exit codes
        • OOM: out of memory
    • Advanced guides
      • Containers guide
      • Application guide
      • Kubernetes guide
      • Create a cluster
      • Upgrade a cluster
      • Managing node groups
      • Patch node groups
      • Hostnames and rules
      • Serve traffic on multiple ports
      • Configure access to your K8s cluster
      • Designing for multiple environments
      • Microservices architecture
      • Monitoring your clusters
      • Performance tuning
      • Visibility and monitoring
      • Working with data
        • Container-based data
        • Seeding and migration
        • Cloud-provided data
        • Golden images
        • Third party
      • Pausing Instant Datasets
        • Application pausing schedules
        • Pause/resume environments
      • Infrastructure as code
        • Terraform
  • Reference documentation
    • Account settings
      • Account info
      • Managing users
      • Build settings
        • Build arguments
        • Build SSH keys
      • Add integrations
      • View clusters and cloud integrations
      • Add datasets
      • Environment handles
    • Workflows in Release
      • Stages of workflows
      • Serial deployments
      • Parallel deployments
      • Rolling deployments
      • Rainbow deployments
    • Networking
      • Network architecture (AWS)
      • Network architecture (GCP)
      • Ingresses
      • IP addresses
      • Cloud-provided services
      • Third-party services
    • Release environment versioning
    • Application settings
      • Application Template
        • Schema definition
      • Default environment variables
      • GitHub
      • Pull requests
      • GitOps
      • Just-in-time file mounts
      • Primary App Link
      • Create application FAQ
      • App-level build arguments
      • Parameters
      • Workspaces
    • End-to-end testing
    • Environment settings
      • Environment configuration
      • Environment variables
        • Environment variable mappings
        • Secrets vaults
        • Using Secrets with GitOps
        • Kubernetes Secrets as environment variables
        • Managing legacy Release Secrets
    • Environment expiration
    • Environment presets
    • Instant datasets on AWS
    • Instant datasets on GCP
    • Instant dataset tasks
      • Tonic Cloud
      • Tonic On-Premise
    • Cloud resources
    • Static service deployment
    • Helm
      • Getting started
      • Version-controlled Helm charts
      • Open-source charts
      • Building Docker images
      • Ingress and networking
      • Configuration
    • GitOps
    • The .release.yaml file
    • Docker Compose conversion support
    • Reference examples
      • Adding and removing services
      • Managing service resources
      • Adding database containers to the Application Template
      • Stock Off-The-Shelf Examples
    • Release API
      • Account Authentication
      • Environments API
        • Create
        • Get
        • Setup
        • Patch
      • User Authentication
      • Environment Presets API
        • Get Environment Preset List
        • Get Environment Preset
        • Put Environment Preset
  • Background concepts
    • How Release works
  • Frequently asked questions
    • Release FAQ
    • AWS FAQ
    • Docker FAQ
    • JavaScript FAQ
  • Integrations
    • Integrations overview
      • Artifactory integration
      • Cloud integrations (AWS)
        • AWS guides
        • Grant access to AWS resources
        • AWS how to increase EIP quota
        • Control your EKS fleet with systems manager
        • Managing STS access
        • AWS Permissions Boundaries
        • Private ECR Repositories
        • Using an Existing AWS VPC
        • Using an Existing EKS Cluster
      • Docker Hub integration
      • LaunchDarkly integration
      • Private registries
      • Slack integration
      • Cloud integrations (GCP)
        • GCP Permissions Boundary
      • Datadog Agent
      • Doppler Secrets Manager
      • AWS Secrets Management
    • Source control integrations
      • GitHub
        • Pull request comments
        • Pull request labels
        • GitHub deployments
        • GitHub statuses
        • Remove GitHub integration
      • Bitbucket
      • GitLab
    • Monitoring and logging add-ons
      • Datadog
      • New Relic
      • ELK (Elasticsearch, Logstash, and Kibana)
  • Release Delivery
    • Create new customer integration
    • Delivery guide
    • Release to customer account access controls
    • Delivery FAQs
  • Release Instant Datasets
    • Introduction
    • Quickstart
    • Security
      • AWS Instant Dataset security
    • FAQ
    • API
  • CLI
    • Getting started
    • Installation
    • Configuration
    • CLI usage example
    • Remote development environments
    • Command reference
      • release accounts
        • release accounts list
        • release accounts select
      • release ai
        • release ai chat
        • release ai config-delete
        • release ai config-init
        • release ai config-select
        • release ai config-upsert
      • release apps
        • release apps list
        • release apps select
      • release auth
        • release auth login
        • release auth logout
      • release builds
        • release builds create
      • release clusters
        • release clusters exec
        • release clusters kubeconfig
        • release clusters shell
      • release datasets
        • release datasets list
        • release datasets refresh
      • release deploys
        • release deploys create
        • release deploys list
      • release development
        • release development logs
        • release development start
      • release environments
        • release environments config-get
        • release environments config-set
        • release environments create
        • release environments delete
        • release environments get
        • release environments list
        • release environments vars-get
      • release gitops
        • release gitops init
        • release gitops validate
      • release instances
        • release instances exec
        • release instances logs
        • release instances terminal
  • Release.ai
    • Release.ai Introduction
    • Getting Started
    • Release.ai Templates
    • Template Configuration Basics
    • Using GPU Resources
    • Custom Workflows
    • Fine Tuning LlamaX
    • Serving Inference
Powered by GitBook
On this page
  • Example: Installing Vanta Agent
  • 1. Create an SSM document
  • 2. Create a Fleet Association
  • 3. Create a Schedule
  • References

Was this helpful?

  1. Integrations
  2. Integrations overview
  3. Cloud integrations (AWS)

Control your EKS fleet with systems manager

How to use AWS Systems Manager to install agents or to configure your EKS worker nodes automatically.

PreviousAWS how to increase EIP quotaNextManaging STS access

Last updated 2 years ago

Was this helpful?

Customers that run self-hosted EKS clusters may need a way to manage their worker nodes for compliance, security, or for operational reasons. For example, you may need to install a monitoring agent on the EKS worker nodes to validate system configuration or to run vulnerability scans on each physical node in the cluster.

Release installs the AWS Systems Manager Agent (SSM Agent) on each node in advance so new clusters and nodes are available in the Fleet Manager and Operations Management section of AWS Systems Manager.

The AWS SSM Agent is fully audited, logged, and configurable inside your AWS account. The Systems Manager creates an SSM document that defines the installation or configuration steps to execute on each node. The document can be associated to a node or nodes by tag, and executed ad hoc or on a recurring basis. Documents can be shared across accounts and regions. You can create and manage these documents via the AWS Console, AWS CLI, Terraform, or any other method.

To enable AWS SSM Agent on your nodes:

  1. Create an SSM document to install or configure your nodes.

  2. Create a fleet association to match nodes (or apply to all nodes).

  3. Create a schedule to apply the document to your fleet at set intervals.

Example: Installing Vanta Agent

Here we install on each node in a cluster. These directions are general and you can use them to start any configuration or installation.

1. Create an SSM document

The SSM document is a YAML or JSON file that describes parameters, steps, and configuration options to apply to nodes. Example SSM documents are available in AWS.

Here we use the . This generic template is designed to download a script or file from GitHub or S3 and then execute it on either a Linux or Windows server.

For Linux, run the installation script from Github and supply an API key. For the Windows agent, download a signed version from the Vanta Agent website and store the binary in S3 for installation.

Specify the parameters of the source code that will be run in a later step.

    "sourceInfoLinux": {
      "description": "(Required) Specify the information required to access the resource from the source. If source type is GitHub, then you can specify any of the following: 'owner', 'repository', 'path', 'getOptions', 'tokenInfo'. If source type is S3, then you can specify 'path'.",
      "type": "StringMap",
      "displayType": "textarea",
      "default": {
        "owner": "VantaInc",
        "repository": "vanta-agent-scripts",
        "branch": "master",
        "path": "install-linux.sh"
      }
    },
    "sourceInfoWindows": {
      "description": "(Required) Specify the information required to access the resource from the source. If source type is GitHub, then you can specify any of the following: 'owner', 'repository', 'path', 'getOptions', 'tokenInfo'. If source type is S3, then you can specify 'path'.",
      "type": "StringMap",
      "displayType": "textarea",
      "default": {
        "path": ""https://s3.amazonaws.com/our-example-bucket/ourVantaAgent/vantaagent.exe""
      }
    }

Specify the command line that will be used in the Linux or Windows installation. The Vanta key can be pulled from parameter store or secrets manager when specified in the parameters section.

    "commandLineLinux": {
      "description": "(Required) Specify the command line to be executed. The following formats of commands can be run: 'pythonMainFile.py argument1 argument2', 'ansible-playbook -i \"localhost,\" -c local example.yml'",
      "type": "String",
      "default": "VANTA_KEY={{ssm:/admin/vanta/vanta_key}} ./install-linux.sh"
    },
    "commandLineWindows": {
      "description": "(Required) Specify the command line to be executed. The following formats of commands can be run: 'pythonMainFile.py argument1 argument2', 'ansible-playbook -i \"localhost,\" -c local example.yml'",
      "type": "String",
      "default": "vantaagent.exe"
    }

Set a temporary working folder for the installation.

    "workingDirectoryLinux": {
      "type": "String",
      "default": "/tmp",
      "description": "(Optional) The path where the content will be downloaded and executed from on your instance.",
      "maxChars": 4096
    },
    "workingDirectoryWindows": {
      "type": "String",
      "default": "${env:TEMP}",
      "description": "(Optional) The path where the content will be downloaded and executed from on your instance.",
      "maxChars": 4096
    },

The installation is executed for each distribution.

  "mainSteps": [
    {
      "action": "aws:downloadContent",
      "name": "downloadContentLinux",
      "inputs": {
        "sourceType": "Github",
        "sourceInfo": "{{ sourceInfoLinux }}",
        "destinationPath": "{{ workingDirectoryLinux }}"
      }
    },
    {
      "action": "aws:downloadContent",
      "name": "downloadContentWindows",
      "inputs": {
        "sourceType": "S3",
        "sourceInfo": "{{ sourceInfoWindows }}",
        "destinationPath": "{{ workingDirectoryWindows }}"
      }
    },
    {
      "precondition": {
        "StringEquals": [
          "platformType",
          "Windows"
        ]
      },
      "action": "aws:runPowerShellScript",
      "name": "runPowerShellScript",
      "inputs": {
        "runCommand": [
          "",
          "$installed = (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where { $_.DisplayName -match 'Vanta' }) -eq $null"
          "",
          "If(-Not $installed) {",
          "  {{ commandLineWindows }}",
          "}"
          ""
        ],
        "workingDirectory": "{{ workingDirectoryWindwos }}",
        "timeoutSeconds": "{{ executionTimeout }}"
      }
    },
    {
      "precondition": {
        "StringEquals": [
          "platformType",
          "Linux"
        ]
      },
      "action": "aws:runShellScript",
      "name": "runShellScriptLinux",
      "inputs": {
        "runCommand": [
          "",
          "if ! sudo yum list installed vanta || ! sudo service vanta.service status",
          "then",
          " {{ commandLineLinux }} ",
          "fi",
          ""
        ],
        "workingDirectory": "{{ workingDirectoryLinux }}",
        "timeoutSeconds": "{{ executionTimeout }}"
      }
    }
  ]

2. Create a Fleet Association

You can specify nodes by tag names and values as in the table below. The simplest choice is to select "all" instances, or you can choose Resource Groups (see the documentation). We don't recommend you choose them manually.

Here are some common tags for EKS clusters:

Selection Criterion
Tag Key
Tag Value

Any EKS worker node

alpha.eksctl.io/cluster-name

Only nodes in a specific cluster

alpha.eksctl.io/cluster-name

<your-cluster-name>

Nodes marked production

VantaOwner

admin@you.com

3. Create a Schedule

You can use a cron-style method to apply the State Manager association:

  • to any nodes added to your cluster,

  • if the application somehow uninstalls, or

  • if the application stops working.

This keeps all nodes up to date as they are added, removed, or changed.

Specify a logging bucket

You can log the output and executions in any logging bucket.

Check it's working

After a time you can inspect logs in an S3 bucket. You can also view progress and events in the SSM Inventory Dashboard or State Manager History section.

References

To associate the SSM document with nodes in your cluster, follow the in the AWS documentation.

Vanta Agent
AWS default document called AWS-RunRemoteScript
association guide
How to write an SSM document
SSM Document Syntax
Creating SSM Documents
Running shell scripts on SSM instances
Creating a State Manager Association
Specify a schedule for your association
Verify the installation and executions