Set up a credential that allows Tanzu Mission Control to manage resources in your AWS account.

An account credential is required for managing the lifecycle of EKS clusters.


There is a five (5) minute sync period between the AWS account and Tanzu Mission Control, so resources created (such as a subnet) may not appear as available in Tanzu Mission Control immediately. The syncing must be complete before you try to create another resource.


Log in to the Tanzu Mission Control console.

Log in to your AWS account.

Make sure you have the appropriate permissions to create credentials.
  • To create EKS credentials, you must be associated with the Tanzu Mission Control role cluster.admin role.

For more information about roles and permissions in Tanzu Mission Control, see Access Control and Users and Groups in VMware Tanzu Mission Control Concepts.


  1. In the Tanzu Mission Control console, click Administration in the left navigation pane.
  2. On the the Accounts tab of the Administration page, click Create Credential and choose AWS EKS.
  3. On the Create credential page, provide a name for the credential.
  4. You can optionally provide a description and labels.
  5. Click Next.
  6. Click Generate Template, and then after the template is generated, click Next.
  7. Use the generated template in one of two ways to create the AWS CloudFormation stack, either via the AWS CLI or the AWS console UI.
  8. Retrieve the Role ARN using the command as shown below, or using the console by navigating to CloudFormation > Stacks > <your stack> > Outputs.
    aws iam get-role --role-name clusterlifecycle.<GeneratedTemplateID> --query 'Role.Arn' --output text
  9. Copy the Role ARN and paste it into the Role ARN field.
  10. Click Create.


When you click Create, Tanzu Mission Control creates the credential. The process of creating and validating the credential can take up to 15 minutes.

Note that as part of the AWS EKS credential, the template creates the following AWS IAM roles:
  • control-plane.${GeneratedTemplateID} - this is for control plane communications
  • worker.${GeneratedTemplateID} - this is for the worker nodes
  • lambda.${GeneratedTemplateID} - this role allows Lambda to retrieve EKS cluster, VPC, AMI, Region, and Availability Zone information
  • cloudwatch.${GeneratedTemplateID} - this allows CloudWatch to invoke Lambda functions
  • clusterlifecycle.${GeneratedTemplateID} - this role is for managing EKS cluster lifecycles
Note: Deleting Tanzu Mission Controlcredentials does not delete these roles. After you have deleted your credentials you need to delete the Cloud Formation template to remove all these roles. For more information, see Clean Up Your AWS EKS Account After Deleting a Credential.

What to do next

After you have created the credential, you can use it when creating an EKS cluster in your AWS account.