automation-suite

2024.10

false

Automation Suite on EKS/AKS installation guide

Last updated Mar 31, 2026

Granting installation permissions

Important:

Installation permissions are relevant only if you cannot provide admin privileges to the Automation Suite installer. If you can provide the required admin privileges to the installer, you do not need to follow the instructions in this section.

Automation Suite relies on specific permissions during installation. These permissions are assigned to the service account, which plays a pivotal role in installing the various Automation Suite components.

To configure all the permissions required for installation, take the following steps:

Step 4.1: Creating a service account

Step 4.2: Creating the required roles

Step 4.3: Binding the roles to the uipathadmin service account

Step 4.4: Generating the kubeconfig file

Step 1: Creating a service account

To create a service account, take the following steps:

Create the <uipath> namespace:
```
kubectl create namespace <uipath>
kubectl create namespace <uipath>
```

Create a service account named uipathadmin:

 kubectl create serviceaccount uipathadmin -n <uipath>
 kubectl create serviceaccount uipathadmin -n <uipath>

Use the existing admin cluster role to grant admin permissions to the uipathadmin service account in the <uipath> namespace:

kubectl create rolebinding uipathadmin --clusterrole=admin --serviceaccount=<uipath>:uipathadmin -n <uipath>
kubectl create rolebinding uipathadmin --clusterrole=admin --serviceaccount=<uipath>:uipathadmin -n <uipath>

Step 2: Creating the required roles

The uipathadmin service account requires certain permissions during the Automation Suite installation. You provide the necessary permissions by creating roles. To create each role, save its configuration as a YAML file and run the following command, replacing the <file_name.yaml> placeholder with the actual name of the YAML file:

kubectl apply -f <file_name.yaml>
kubectl apply -f <file_name.yaml>

You can create the YAML file for each role by copying its corresponding configuration from the following table:

Figure 1. Automation Suite installation permissions

Permissions	Purpose	Configuration
Query the namespace [read-only]	Required to check whether the namespaces, such as the `<istio-system>` namespace, are available or not.	`apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: namespace-reader-clusterrole rules: - apiGroups: [""] resources: ["namespaces"] verbs: ["get"]`apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: namespace-reader-clusterrole rules: - apiGroups: [""] resources: ["namespaces"] verbs: ["get"]
List nodes and CRDs [read-only]	The prerequisite check and diagnostic health check tool require this permission to perform node validations, such as checking available capacity on the node.	`apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: list-nodes-and-crd-clusterrole rules: - apiGroups: [""] resources: ["nodes"] verbs: ["list", "get"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["list"] - apiGroups: ["metrics.k8s.io"] resources: ["nodes"] verbs: ["list", "get"] - apiGroups: ["scheduling.k8s.io"] resources: ["priorityclasses"] verbs: ["get"]`apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: list-nodes-and-crd-clusterrole rules: - apiGroups: [""] resources: ["nodes"] verbs: ["list", "get"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["list"] - apiGroups: ["metrics.k8s.io"] resources: ["nodes"] verbs: ["list", "get"] - apiGroups: ["scheduling.k8s.io"] resources: ["priorityclasses"] verbs: ["get"]
Get storage classes [read-only]	The prerequisite check and diagnostic health check tool require this permission to perform the validations.	`apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: storage-class-reader rules: - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get"]`apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: storage-class-reader rules: - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get"]
`uipath` roles [write]	Most of the Automation Suite installation is performed via ArgoCD. However, some components are installed via Helm charts. The `uipathctl` tool runs an installation job that connects to the `kube-api-server` and installs Helm charts in the `<uipath>` namespace, which requires namespace-level role-creator permissions.	`apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: uipath-automationsuite-role namespace: <uipath> rules: - apiGroups: ["rbac.authorization.k8s.io"] resources: ["roles", "rolebindings"] verbs: [""] - apiGroups: [""] resources: ["secrets", "configmaps"] verbs: ["get", "watch", "list", "patch", "update", "create"] - apiGroups: ["security.istio.io", "networking.istio.io"] resources: [""] verbs: [""]`apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: uipath-automationsuite-role namespace: <uipath> rules: - apiGroups: ["rbac.authorization.k8s.io"] resources: ["roles", "rolebindings"] verbs: [""] - apiGroups: [""] resources: ["secrets", "configmaps"] verbs: ["get", "watch", "list", "patch", "update", "create"] - apiGroups: ["security.istio.io", "networking.istio.io"] resources: [""] verbs: [""]
`<istio-system>` roles [write] Provide these permissions only if you want the installer to configure the WASM plugin.	The following operations are performed in the `<istio-system>` namespace: The prerequisite check tool reads pods and services to validate that Istio is installed and configured properly. Automation Suite installs the WASM plugin, which requires creating an image pull secret and namespace-level role creator permissions.	`apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: istio-system-automationsuite-role namespace: <istio-system> rules: - apiGroups: [""] resources: ["services", "pods"] verbs: ["list"] - apiGroups: ["rbac.authorization.k8s.io"] resources: ["roles", "rolebindings"] verbs: [""] - apiGroups: [""] resources: ["secrets", "configmaps"] verbs: ["get", "watch", "list", "patch", "update", "create"] - apiGroups: ["networking.istio.io", "extensions.istio.io"] resources: [""] verbs: [""]`apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: istio-system-automationsuite-role namespace: <istio-system> rules: - apiGroups: [""] resources: ["services", "pods"] verbs: ["list"] - apiGroups: ["rbac.authorization.k8s.io"] resources: ["roles", "rolebindings"] verbs: [""] - apiGroups: [""] resources: ["secrets", "configmaps"] verbs: ["get", "watch", "list", "patch", "update", "create"] - apiGroups: ["networking.istio.io", "extensions.istio.io"] resources: [""] verbs: [""]
`<istio-system>` roles [read-only] Provide these permissions if Istio and the WASM plugin are already configured.	The following operations are performed in the `<istio-system>` namespace: Read pods and services to validate Istio installation. Read secrets to copy certificates into the `<uipath>` namespace.	`apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: istio-system-automationsuite-role namespace: <istio-system> rules: - apiGroups: [""] resources: ["services", "pods"] verbs: ["list"] - apiGroups: [""] resources: ["secrets"] resourceNames: ["istio-ingressgateway-certs"] verbs: ["get"]`apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: istio-system-automationsuite-role namespace: <istio-system> rules: - apiGroups: [""] resources: ["services", "pods"] verbs: ["list"] - apiGroups: [""] resources: ["secrets"] resourceNames: ["istio-ingressgateway-certs"] verbs: ["get"]

Step 3: Binding the roles

You must bind the roles that you created in the previous step to the uipathadmin service account, by running the following commands:

kubectl -n <istio-system> create rolebinding istio-system-automationsuite-rolebinding \
  --role=istio-system-automationsuite-role --serviceaccount=<uipath>:uipathadmin
  
kubectl -n <istio-system> create rolebinding namespace-reader-rolebinding \
  --clusterrole=namespace-reader-clusterrole --serviceaccount=<uipath>:uipathadmin
  
kubectl -n <uipath> create clusterrolebinding list-nodes-and-crd-rolebinding \
  --clusterrole=list-nodes-and-crd-clusterrole --serviceaccount=<uipath>:uipathadmin
  
kubectl -n <uipath> create rolebinding uipath-automationsuite-rolebinding \
  --role=uipath-automationsuite-role --serviceaccount=<uipath>:uipathadmin
  
kubectl -n <uipath> create clusterrolebinding storage-class-reader-binding \
  --clusterrole=storage-class-reader --serviceaccount=<uipath>:uipathadmin

# This step is needed only if you want installer to configure the WASM Plugin. Otherwise skip it.
kubectl -n <istio-system> create rolebinding uipadmin-istio-system \
  --clusterrole=admin --serviceaccount=<uipath>:uipathadmin
kubectl -n <istio-system> create rolebinding istio-system-automationsuite-rolebinding \
  --role=istio-system-automationsuite-role --serviceaccount=<uipath>:uipathadmin
  
kubectl -n <istio-system> create rolebinding namespace-reader-rolebinding \
  --clusterrole=namespace-reader-clusterrole --serviceaccount=<uipath>:uipathadmin
  
kubectl -n <uipath> create clusterrolebinding list-nodes-and-crd-rolebinding \
  --clusterrole=list-nodes-and-crd-clusterrole --serviceaccount=<uipath>:uipathadmin
  
kubectl -n <uipath> create rolebinding uipath-automationsuite-rolebinding \
  --role=uipath-automationsuite-role --serviceaccount=<uipath>:uipathadmin
  
kubectl -n <uipath> create clusterrolebinding storage-class-reader-binding \
  --clusterrole=storage-class-reader --serviceaccount=<uipath>:uipathadmin

# This step is needed only if you want installer to configure the WASM Plugin. Otherwise skip it.
kubectl -n <istio-system> create rolebinding uipadmin-istio-system \
  --clusterrole=admin --serviceaccount=<uipath>:uipathadmin

Step 4: Generating the kubeconfig file

After you assign all the permissions to the service account, you must create a kubeconfig file to pass to the uipathctl tool for the installation.

Generating the kubeconfig file on Linux or Mac

To generate the kubeconfig file on Linux or Mac, run the following commands:

# Create a token
token="$(kubectl -n <uipath> create token uipathadmin --duration=8760h)"
# copy current kubeconfig to a temp file
mkdir temp
cp ~/.kube/config temp/kubeconfig.tmp
# Find the user name and unset it in the temp file
kube_user_name="$(kubectl config view -o jsonpath="{.users[0].name}")"
kubectl -n <uipath> config unset users."${kube_user_name}" --kubeconfig="temp/kubeconfig.tmp"
# Update the credentials in the temp file
kubectl -n <uipath> --kubeconfig="temp/kubeconfig.tmp" config set-credentials uipathadmin --token="$token"
# Set the context and the namespace
kubectl --kubeconfig="temp/kubeconfig.tmp" config set-context --current --namespace=<uipath> --user=uipathadmin
mv temp/kubeconfig.tmp temp/uipathadminkubeconfig
# Create a token
token="$(kubectl -n <uipath> create token uipathadmin --duration=8760h)"
# copy current kubeconfig to a temp file
mkdir temp
cp ~/.kube/config temp/kubeconfig.tmp
# Find the user name and unset it in the temp file
kube_user_name="$(kubectl config view -o jsonpath="{.users[0].name}")"
kubectl -n <uipath> config unset users."${kube_user_name}" --kubeconfig="temp/kubeconfig.tmp"
# Update the credentials in the temp file
kubectl -n <uipath> --kubeconfig="temp/kubeconfig.tmp" config set-credentials uipathadmin --token="$token"
# Set the context and the namespace
kubectl --kubeconfig="temp/kubeconfig.tmp" config set-context --current --namespace=<uipath> --user=uipathadmin
mv temp/kubeconfig.tmp temp/uipathadminkubeconfig

If the operation was successful, you should see a kubeconfig file named uipathadminkubeconfig.

Generating the kubeconfig file on Windows

Note:

You must perform this step using Windows Powershell.

To generate the kubeconfig file on Windows, run the following commands:

# Create a token
$token = kubectl -n <uipath> create token uipathadmin --duration=8760h
# copy current kubeconfig to a temp file
mkdir temp
cp ~/.kube/config temp/kubeconfig.tmp
# Find the user name and unset it in the temp file
$kube_user_name = kubectl config view -o jsonpath="{.users[0].name}"
kubectl -n <uipath> config unset users."${kube_user_name}" --kubeconfig="temp/kubeconfig.tmp"
# Update the credentials in the temp file
kubectl -n <uipath> --kubeconfig="temp/kubeconfig.tmp" config set-credentials uipathadmin --token="$token"
# Set the context and the namespace
kubectl --kubeconfig="temp/kubeconfig.tmp" config set-context --current --namespace=<uipath> --user=uipathadmin
mv temp/kubeconfig.tmp temp/uipathadminkubeconfig
# Create a token
$token = kubectl -n <uipath> create token uipathadmin --duration=8760h
# copy current kubeconfig to a temp file
mkdir temp
cp ~/.kube/config temp/kubeconfig.tmp
# Find the user name and unset it in the temp file
$kube_user_name = kubectl config view -o jsonpath="{.users[0].name}"
kubectl -n <uipath> config unset users."${kube_user_name}" --kubeconfig="temp/kubeconfig.tmp"
# Update the credentials in the temp file
kubectl -n <uipath> --kubeconfig="temp/kubeconfig.tmp" config set-credentials uipathadmin --token="$token"
# Set the context and the namespace
kubectl --kubeconfig="temp/kubeconfig.tmp" config set-context --current --namespace=<uipath> --user=uipathadmin
mv temp/kubeconfig.tmp temp/uipathadminkubeconfig

If the operation was successful, you should see a kubeconfig file named uipathadminkubeconfig in the temp folder.

On this page

Step 1: Creating a service account
Step 2: Creating the required roles
Step 3: Binding the roles
Step 4: Generating the kubeconfig file
Generating the kubeconfig file on Linux or Mac
Generating the kubeconfig file on Windows

Was this page helpful?

PREVIOUSConfiguring the OCI-compliant registry

NEXTInstalling and configuring the GitOps tool

Automation Suite on EKS/AKS installation guide

Step 1: Creating a service account​

Step 2: Creating the required roles​

Step 3: Binding the roles​

Step 4: Generating the kubeconfig file​

Generating the kubeconfig file on Linux or Mac​

Generating the kubeconfig file on Windows​