Install on AWS EKS
This guide provides step-by-step instructions to install the Secure Agent on an Amazon Elastic Kubernetes Service (AWS EKS) cluster.
System requirements
To deploy the Secure Agent on AWS EKS, ensure the following system requirements are met:
-
Configure network access between your Secure Agent and Atlan tenant. For more information, see Whitelisting Secure Agent.
-
You need Kubernetes version 1.19 or higher.
-
You need to install Helm and kubectl on the machine you're using to connect to the AWS EKS cluster.
-
You need at least 1 node for base services with a disk space of 20 GB and instance configuration as below:
Environment Minimum instance type Recommended instance type Production t3.large Custom based on workload Non-production t3.large t3.xlarge info💪 Did you know? For optimal autoscaling, scale nodes based on the number of concurrent workflows.
Permissions required
Before installing the Secure Agent, make sure the following permissions are in place:
Permissions for the Installer
The user, service or system account performing the installation needs access to the EKS cluster and permissions to manage Custom Resource Definitions (CRDs).
-
Ensure the kubeconfig is correctly configured for your target EKS cluster. If needed, use the following command to configure or update your kubeconfig file.
aws eks update-kubeconfig --region ``<region>`` --name ``<cluster-name>``- Replace
<region>with your AWS region (for example, us-east-1) and<cluster-name>with the name of your EKS cluster.
- Replace
-
The installer needs permission to create, update, and delete Custom Resource Definitions (CRDs). If not using the cluster-admin role, grant the following:
-
Create a file named
agent-crd-permissions.yamlon your machine. -
Copy the following content into the file:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# Use a descriptive name
name: helm-crd-installer-role
rules:
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
# Recommended verbs for Helm CRD management
verbs: ["create", "get", "list", "watch", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
# Use a descriptive name
name: helm-crd-installer-binding
subjects:
# *** IMPORTANT: Modify this section based on who is running Helm ***
# Choose ONE of the following options and replace placeholders.
# Option 1: Bind to a specific User
- kind: User
name: "your-kubernetes-username" # Replace with the installing user's K8s username recognized by the cluster
apiGroup: rbac.authorization.k8s.io
# Option 2: Bind to a specific Group
# - kind: Group
# name: "your-kubernetes-groupname" # Replace with the installing user's K8s group name
# apiGroup: rbac.authorization.k8s.io
# Option 3: Bind to a Service Account (e.g., for CI/CD pipelines)
# - kind: ServiceAccount
# name: "installer-sa-name" # Replace with the installer SA's name
# namespace: "installer-sa-namespace" # Replace with the installer SA's namespace
roleRef:
# This refers to the ClusterRole created above
kind: ClusterRole
name: helm-crd-installer-role
apiGroup: rbac.authorization.k8s.ioFollow the comments in the file to replace the placeholders. In the above file:
- Resource:
customresourcedefinitions- needed for managing CRDs in the cluster. - API Group:
apiextensions.k8s.io- required to work with CRDs. - Verbs: create, get, list, update, delete - necessary for installing, inspecting, updating, and cleaning up CRDs using Helm.
- ClusterRoleBinding: needed to assign the role to the user or group performing the installation.
- Once you’ve updated the placeholders, use the below
kubectlcommand to apply the configuration:
- Resource:
-
Once you’ve updated the placeholders, use the below kubectl command to apply the configuration:
kubectl apply -f agent-crd-permissions.yaml
Permissions for the Secure Agent Pod (Runtime)
The Secure Agent runs as pods in your EKS cluster and requires permissions to interact with AWS services like S3. These permissions are granted through IAM Roles for Service Accounts (IRSA).
-
Create a new IAM role for the Secure Agent pod.
-
Configure the trust policy to enable the Secure Agent’s Kubernetes service account to assume the role. Make sure the argo-workflow service account exists in the same namespace where you plan to install the agent. For more information, see the AWS documentation on IAM roles for service accounts (IRSA).
-
Example: Trust policy for the argo-workflow service account:
"Condition": {
"StringEquals": {
":sub": "system:serviceaccount::argo-workflow"
}
}Replace
<namespace>with the namespace where you plan to install agent. -
Create an S3 bucket (or use an existing one), and attach the following permissions to the IAM role used by the Secure Agent:
s3:PutObject: Needed to write logs and artifactss3:GetObject: Needed to read logs and artifacts.s3:ListBucket: Needed by Argo artifact repository for listing objects.
-
The Helm chart automatically configures the necessary Kubernetes RBAC for Argo Workflows, which the Secure Agent uses. No additional configuration is required for the Secure Agent pod..
Prerequisites
Before proceeding, complete the following setup steps to prepare your Atlan tenant and AWS EKS cluster.
Configure Atlan tenant
In your Atlan tenant:
- Sign in as an Atlan admin.
- Go to Admin from the left menu.
- Under Workspace, click Labs.
- Navigate to Workflow Center.
- Enable the Crawl assets using Secure Agent toggle.
Configure Secure Agent settings
The agent_config_values.yaml file is used to configure the Secure Agent, Argo Workflows, and storage for the AWS EKS cluster. Follow these instructions on the machine where you're performing the installation.
-
Create a file named
agent_config_values.yamlfile. -
Copy the configuration below into the file:
# -----------------------------------------------------------------------------------------
# Agent core settings - Follow the comments to update:
# 1. Image registry settings - To be updated only if you are using a private image registry
# 2. Atlan connection settings - To be updated only if you want agent to use the S3 bucket
# 3. Argo Private repository settings - To be updated only if you are using private repository for Argo workflows
# 4. Kubernetes Pod Annotation settings - To be updated only if you want to customize the Kubernetes pod’s metadata
# 5. Argo Private repository settings - To be updated only if you are using private repository for Argo workflows
# 6. S3 storage settings - To be updated with S3 bucket details.
# -----------------------------------------------------------------------------------------
agent:
enabled: true
enableStorageProxy: false
ca:
crt: ""
#Provide a base64-encoded string of a JSON object, e.g., {"client_id": 123, "client_secret": 1243}.
#Set this only if you need to include custom headers in API calls made by the agent.
restAPIHeaders: ""
versions:
k3s: ""
k8s: ""
helm: ""
# 1. Image Registry Settings
image:
# Only update if you're using a private image registry
registry: "public.ecr.aws"
repository: "atlanhq"
# Only update if you're using custom images
restImageName: "rest-2"
restImageTag: "1.0"
# Only update if you're using custom images
jdbcImageName: "jdbc-metadata-extractor-with-jars"
jdbcImageTag: "1.0"
# Only update if you're using custom images
credentialImageName: "connector-auth"
credentialImageTag: "1.0"
# Only update if you're using custom images
csaScriptsImageName: "marketplace-csa-scripts"
csaScriptsImageTag: "1.0"
# Marketplace scripts image details - keep these values as is unless using custom images
marketplaceScriptsImageName: "marketplace-scripts-agent"
marketplaceScriptsImageTag: "1.0"
pullPolicy: IfNotPresent
pullSecrets: [] # Add pull secrets if using private registry
annotations: {}
labels: {}
serviceAccountName: ""
automountServiceAccountToken: true
resources: {}
# 2. Atlan connection settings - Only update if you want to agent to use the S3 bucket
atlan:
argoToken: ""
vaultEnvEnabled: false
# Set to true only if the agent should store metadata
# in your bucket instead of sending it to Atlan via presigned URL.
useAgentBucket: false
metadataBucket: ""
persistentVolume:
scripts:
enabled: false
data:
enabled: false
minio:
enabled: false
argo-workflows:
images:
pullPolicy: IfNotPresent
pullSecrets: []
crds:
install: true
keep: true
annotations: {}
singleNamespace: true
workflow:
serviceAccount:
create: true
rbac:
create: true
controller:
# 3. Argo Private repository settings - Only update if you are using a private image repository for Argo
image:
# update the private image repository details
registry: quay.io
repository: argoproj/workflow-controller
tag: ""
parallelism: 10
resourceRateLimit:
limit: 10
burst: 5
rbac:
create: true
secretWhitelist: []
accessAllSecrets: false
writeConfigMaps: false
configMap:
create: true
name: ""
namespaceParallelism: 10
workflowDefaults:
# 4. Kubernetes Pod Annotation settings - Only update if you want to customize the Pod metadata.
## For example, the annotation might be used by external systems such as proxies, or monitoring tools, and more.
spec:
podMetadata:
annotations:
argo.workflow/agent-type: "atlan-agent-service"
labels:
app.kubernetes.io/name: "atlan-agent"
podGC:
strategy: OnPodSuccess
serviceAccountName: argo-workflow
automountServiceAccountToken: true
ttlStrategy:
secondsAfterCompletion: 84600
templateDefaults:
container:
securityContext:
allowPrivilegeEscalation: false
resources: {}
env:
- name: CA_CERT
valueFrom:
configMapKeyRef:
name: cert-config
key: ca.crt
optional: true
- name: REST_API_HEADERS
valueFrom:
configMapKeyRef:
name: agent-registry-settings
key: restAPIHeaders
optional: true
serviceAccount:
create: true
name: workflow-controller
workflowNamespaces:
- default
replicas: 1
revisionHistoryLimit: 10
nodeEvents:
enabled: false
server:
enabled: true
# 5. Argo Private repository settings - Only update if you are using a private image repository for Argo
image:
registry: quay.io
repository: argoproj/argocli
tag: ""
rbac:
create: true
serviceAccount:
create: true
replicas: 1
autoscaling:
enabled: false
ingress:
enabled: false
annotations:
ingress.kubernetes.io/ssl-redirect: "false"
resources: {}
executor:
securityContext: {}
resources: {}
artifactRepository:
archiveLogs: true
useStaticCredentials: false
# 6. S3 bucket settings - needed by the secure agent to store logs and artifacts
s3:
# S3 bucket name - Update with the bucket name you created in the Permissions required section.
bucket: "atlan--bucket"
# S3 endpoint
endpoint: "s3.us-east-2.amazonaws.com"
# AWS region - Update with the region where you created bucket in the Permissions required section.
region: "us-east-2"
# Artifact path format
keyFormat: "argo-artifacts/{{workflow.namespace}}/{{workflow.name}}/{{pod.name}}"
# Whether to use insecure connections
insecure: false
# Use AWS SDK credentials (IAM role)
useSDKCreds: true -
In the configuration file, follow the comments to replace the necessary attributes. You may want to update the below configurations if:
- You are using a private image registry (Image registry settings)
- You want the agent to use an S3 bucket (Atlan connection settings)
- You are using a private repository for Argo workflows (Argo Private repository settings)
- You want to customize the Kubernetes pod's metadata (Kubernetes Pod Annotation settings)
- You need specific S3 storage configuration (S3 storage settings)
Install using Helm chart
Follow these steps to install the Secure Agent and its dependencies into your AWS EKS cluster using Helm charts.
-
Install the Argo Custom Resource Definitions (CRDs) required by the Secure Agent. This step installs only the CRDs. The Secure Agent is installed in the subsequent step using a Helm upgrade.
helm install <helm-app-name> oci://registry-1.docker.io/atlanhq/workflow-offline-agent \
--version 0.1.0 \
-n <namespace> \
--create-namespace -f <path/to/agent_config_values.yaml> \
--set agent.name="<secure-agent-name>" \
--set agent.atlan.domain="<atlan-tenant-domain>" \
--set agent.atlan.token="<atlan-api-token>" \
--set argo-workflows.controller.workflowNamespaces={<namespace>} \
--set IsUpgrade=falseReplace the placeholders:
<namespace>: The Kubernetes namespace where you want to deploy the Secure Agent.<path/to/agent_config_values.yaml>: The path to the YAML config file.<secure-agent-name>: Unique name, like agent-us-east-cdw.<helm-app-name>: Unique Helm release name, like atlan-agent-v1.<atlan-tenant-domain>: Your Atlan domain, e.g., mycompany.atlan.com.<atlan-api-token>: Token used for authentication. See Create a bearer token.
-
Use the following kubectl command to associate the IAM role with the service account. This enables the Secure Agent to access the S3 bucket securely using IAM Roles for Service Accounts (IRSA). Make sure the IAM role’s trust policy enables the argo-workflow service account to assume the role.
kubectl annotate serviceaccount argo-workflow \
-n \
eks.amazonaws.com/role-arn=arn:aws:iam:::role/Replace the placeholders:
<namespace: The Kubernetes namespace where you want to deploy the Secure Agent.<AWS_ACCOUNT_ID>: Your AWS Account ID.<YourAgentIAMRoleName>: The IAM role name you created for the Secure Agent using IRSA.
-
Install the Secure Agent by upgrading the Helm release. This step performs the actual Secure Agent installation after CRDs are in place.
helm upgrade <helm-app-name> oci://registry-1.docker.io/atlanhq/workflow-offline-agent \
--version 0.1.0 \
-n <namespace> \
--create-namespace -f <path/to/agent_config_values.yaml> \
--set agent.name="<secure-agent-name>" \
--set agent.atlan.domain="<atlan-tenant-domain>" \
--set agent.atlan.token="<atlan-api-token>" \
--set argo-workflows.controller.workflowNamespaces={<namespace>} \
--set IsUpgrade=trueReplace the placeholders:
<namespace>: The Kubernetes namespace where you want to deploy the Secure Agent.<path/to/agent_config_values.yaml>: The path to the YAML config file.<secure-agent-name>: Unique name, like agent-us-east-cdw.<helm-app-name>: Unique Helm release name, like atlan-agent-v1.<atlan-tenant-domain>: Your Atlan domain, e.g., mycompany.atlan.com.<atlan-api-token>: Token used for authentication. See Create a bearer token.
-
While the installation is in progress, you can run the following command to verify the progress:
kubectl get pods -n <namespace>Replace
<namespace>with the Kubernetes namespace used for deployment.
Verify installation
To confirm successful installation:
- Sign in to your Atlan tenant as an admin. For example,
https://<tenant>.atlan.com. - Navigate to the Agent tab.
- Search for your Secure Agent name.
- If the agent appears in the list and is marked Active, installation is complete.