AWS Deployment

This guide provides step-by-step instructions for deploying Immuta 2026.1.x to Amazon EKS with RDS for PostgreSQL and OpenSearch for audit storage.

For the official Immuta self-managed deployment documentation, see Install Immuta.

Prerequisites

AWS CLI (aws) installed and authenticated with permissions to create EKS clusters, ECR repositories, RDS instances, and OpenSearch domains
kubectl installed
Helm 3.2.0+ installed
skopeo installed (installation guide) -- used to copy container images between registries
eksctl installed (installation guide)
Immuta OCI registry credentials

Required Variables

Set these environment variables before starting. All subsequent commands reference them.

# Deployment naming
export EKS_CLUSTER_NAME=immuta-lts
export AWS_REGION=us-east-1

# Immuta version
export IMMUTA_VERSION=2026.1.0

# Immuta registry credentials
export IMMUTA_USER=<your-immuta-registry-username>
export IMMUTA_TOKEN=<your-immuta-registry-token>

# AWS account
export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)

# PostgreSQL credentials
export DB_PASSWORD=<your-postgres-admin-password>
export IMMUTA_DB_PASSWORD=<your-immuta-db-password>

# Namespace
export NAMESPACE=immuta

Avoid whitespace, $, &, :, \, /, and ' in database passwords. These characters can cause authentication failures or Helm value parsing issues.

Step 1: Create Container Repositories in ECR

for image in audit-service cache classify-service detect-temporal-worker immuta-db immuta-service temporal-admin-tools temporal-proxy temporal-server; do
  aws ecr create-repository \
      --repository-name stable/$image \
      --region ${AWS_REGION};
done

Step 2: Copy Immuta Images to ECR

Authenticate to ECR

aws ecr get-login-password --region ${AWS_REGION} | skopeo login --username AWS --password-stdin ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com

Authenticate to Immuta Registry

echo "${IMMUTA_TOKEN}" | skopeo login --username "${IMMUTA_USER}" --password-stdin ocir.immuta.com

Copy images

for image in audit-service cache classify-service detect-temporal-worker immuta-db immuta-service temporal-admin-tools temporal-proxy temporal-server; do
  skopeo copy docker://ocir.immuta.com/stable/$image:${IMMUTA_VERSION} docker://${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/stable/$image:${IMMUTA_VERSION};
done

Step 3: Deploy EKS Cluster

Create the cluster

Run eksctl create cluster with a file like the one below but updated with appropriate values for the destination environment:

eksctl create cluster -f immuta-lts.yaml

Cluster Config

apiVersion: eksctl.io/v1alpha5
iam:
  withOIDC: true
kind: ClusterConfig
kubernetesNetworkConfig:
  ipFamily: IPv4
managedNodeGroups:
- name: immuta-lts
  amiFamily: AmazonLinux2
  desiredCapacity: 3
  disableIMDSv1: true
  disablePodIMDS: false
  instanceType: m5.xlarge
  iam:
    withAddonPolicies:
      albIngress: true
      awsLoadBalancerController: true
      certManager: true
      cloudWatch: true
      ebs: true
      externalDNS: true
  labels:
    alpha.eksctl.io/cluster-name: immuta-lts
    alpha.eksctl.io/nodegroup-name: immuta-lts
  maxSize: 3
  minSize: 3
  privateNetworking: true
  tags:
    alpha.eksctl.io/nodegroup-name: immuta-lts
    alpha.eksctl.io/nodegroup-type: managed
  volumeIOPS: 3000
  volumeSize: 80
  volumeThroughput: 125
  volumeType: gp3
metadata:
  name: immuta-lts
  region: us-east-1
  version: "1.33"

Create service accounts for EBS CSI Driver and Load Balancer Controller

This creates IAM roles and associates them with Kubernetes service accounts. For the ebs-csi-controller we only create the IAM role and allow the addon to create the service account.

If this is the first time running an EKS Cluster with the AWS Load Balancer Controller the IAM policy must be created first:

curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.7.2/docs/install/iam_policy.json
aws iam create-policy \
    --policy-name AWSLoadBalancerControllerIAMPolicy \
    --policy-document file://iam-policy.json

eksctl create iamserviceaccount --cluster ${EKS_CLUSTER_NAME} \
                                --name ebs-csi-controller-sa \
                                --namespace kube-system \
                                --role-name ${EKS_CLUSTER_NAME}-ebs-csi-driver-role \
                                --role-only \
                                --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \
                                --approve

eksctl create iamserviceaccount --cluster ${EKS_CLUSTER_NAME} \
                                --name aws-load-balancer-controller \
                                --namespace kube-system \
                                --attach-policy-arn arn:aws:iam::${AWS_ACCOUNT_ID}:policy/AWSLoadBalancerControllerIAMPolicy  \
                                --approve

Enable the EBS CSI Driver Addon

eksctl create addon --name aws-ebs-csi-driver \
                    --cluster ${EKS_CLUSTER_NAME} \
                    --service-account-role-arn arn:aws:iam::${AWS_ACCOUNT_ID}:role/${EKS_CLUSTER_NAME}-ebs-csi-driver-role

Deploy the AWS Load Balancer Controller

helm repo add eks https://aws.github.io/eks-charts
helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
             --namespace kube-system \
             --set clusterName=${EKS_CLUSTER_NAME} \
             --set serviceAccount.create=false \
             --set serviceAccount.name=aws-load-balancer-controller

Deploy external-dns

If you control the DNS zone your application is being deployed to from the existing AWS account, you can automatically make DNS updates by installing external-dns:

helm repo add external-dns https://kubernetes-sigs.github.io/external-dns
helm upgrade --install --create-namespace --namespace=external-dns external-dns external-dns/external-dns

Step 4: Create RDS Instance in EKS VPC

EKS_VPC_ID=$(aws ec2 describe-vpcs --filters "Name=tag:Name,Values=eksctl-${EKS_CLUSTER_NAME}-cluster/VPC" --query "Vpcs[*].VpcId" --output text)
EKS_SUBNET_IDS=$(aws ec2 describe-subnets --filters "Name=tag:alpha.eksctl.io/cluster-name,Values=${EKS_CLUSTER_NAME}" --query "Subnets[*].SubnetId" --output json)
EKS_SHARED_SG_ID=$(aws ec2 describe-security-groups --filters "Name=tag:Name,Values=eksctl-${EKS_CLUSTER_NAME}-cluster/ClusterSharedNodeSecurityGroup" --query "SecurityGroups[*].GroupId" --output text)
DB_STORAGE=150
DB_USER=postgres
DB_INSTANCE_CLASS=db.m5.large

aws rds create-db-subnet-group --db-subnet-group-name ${EKS_CLUSTER_NAME}-group \
                               --db-subnet-group-description "Subnet Group for ${EKS_CLUSTER_NAME} RDS" \
                               --subnet-ids ${EKS_SUBNET_IDS}

aws rds create-db-instance --db-instance-identifier ${EKS_CLUSTER_NAME} \
                           --db-instance-class ${DB_INSTANCE_CLASS} \
                           --engine postgres \
                           --engine-version 16 \
                           --master-username ${DB_USER} \
                           --master-user-password ${DB_PASSWORD} \
                           --allocated-storage ${DB_STORAGE} \
                           --vpc-security-group-ids ${EKS_SHARED_SG_ID} \
                           --db-subnet-group-name ${EKS_CLUSTER_NAME}-group

Step 5: Configure PostgreSQL Databases

Wait for the RDS instance to become available, then configure the databases from an ephemeral pod in EKS.

Get the RDS endpoint

RDS_ENDPOINT=$(aws rds describe-db-instances \
    --db-instance-identifier ${EKS_CLUSTER_NAME} \
    --query "DBInstances[0].Endpoint.Address" --output text)

Create the namespace

kubectl create namespace ${NAMESPACE} --dry-run=client -o yaml | kubectl apply -f -

Create the Immuta role and databases

Run the following SQL to create the immuta role and the three required databases:

kubectl run pg-setup --rm -i --restart=Never \
    --image=postgres:16 -n ${NAMESPACE} \
    --env="PGPASSWORD=${DB_PASSWORD}" \
    -- psql -h "${RDS_ENDPOINT}" -U postgres -d postgres <<'SQL'

-- Create the immuta role
CREATE ROLE immuta WITH LOGIN ENCRYPTED PASSWORD '<immuta-db-password>';
GRANT rds_superuser TO immuta;
GRANT immuta TO current_user;
ALTER ROLE immuta SET search_path TO bometadata, audit, public;

-- Create databases
CREATE DATABASE immuta OWNER immuta;
CREATE DATABASE temporal OWNER immuta;
CREATE DATABASE temporal_visibility OWNER immuta;

-- Grant permissions
GRANT ALL ON DATABASE immuta TO immuta;
GRANT ALL ON DATABASE temporal TO immuta;
GRANT ALL ON DATABASE temporal_visibility TO immuta;

-- Configure immuta database
\c immuta
CREATE EXTENSION pgcrypto;

-- Configure temporal database
\c temporal
GRANT CREATE ON SCHEMA public TO immuta;

-- Configure temporal_visibility database
\c temporal_visibility
GRANT CREATE ON SCHEMA public TO immuta;
CREATE EXTENSION btree_gin;
SQL

Replace <immuta-db-password> in the SQL above with the password you want for the immuta database role.

Step 6: Download RDS CA Bundle

RDS requires TLS for connections. Download the AWS RDS CA bundle and create a Kubernetes secret that Temporal will mount:

curl -o global-bundle.pem https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem

kubectl -n ${NAMESPACE} create secret generic secret-with-certs \
    --from-file=global-bundle.pem

Step 7: Create an OpenSearch Domain

EKS_SUBNET_IDS_TEXT=$(aws ec2 describe-subnets --filters "Name=tag:alpha.eksctl.io/cluster-name,Values=${EKS_CLUSTER_NAME}" --query "Subnets[*].SubnetId" --output text | awk -v OFS="," '$1=$1')
PRIVATE_SUBNET_ID=$(aws ec2 describe-subnets --filters "Name=tag:Name,Values=eksctl-${EKS_CLUSTER_NAME}*Private*" --query "Subnets[0].SubnetId" --output text)
OPENSEARCH_INSTANCE_TYPE=m5.xlarge.search
OPENSEARCH_INSTANCE_COUNT=1
OPENSEARCH_VOLUME_SIZE=100
OPENSEARCH_USERNAME=immuta-audit-service
OPENSEARCH_PASSWORD=<your-opensearch-password>

aws opensearch create-domain --domain-name ${EKS_CLUSTER_NAME} \
                             --cluster-config "InstanceType=${OPENSEARCH_INSTANCE_TYPE},InstanceCount=${OPENSEARCH_INSTANCE_COUNT}" \
                             --ebs-options "EBSEnabled=true,VolumeType=gp2,VolumeSize=${OPENSEARCH_VOLUME_SIZE}" \
                             --vpc-options "SecurityGroupIds=${EKS_SHARED_SG_ID},SubnetIds=${PRIVATE_SUBNET_ID}" \
                             --advanced-security-options "Enabled=true,InternalUserDatabaseEnabled=true,MasterUserOptions={MasterUserName=${OPENSEARCH_USERNAME},MasterUserPassword=${OPENSEARCH_PASSWORD}}" \
                             --node-to-node-encryption-options "Enabled=true" \
                             --encryption-at-rest "Enabled=true" \
                             --domain-endpoint-options "EnforceHTTPS=true" \
                             --access-policies "{\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\",\"Principal\": {\"AWS\": \"*\"},\"Action\": \"es:*\",\"Resource\": \"arn:aws:es:${AWS_REGION}:${AWS_ACCOUNT_ID}:domain/${EKS_CLUSTER_NAME}/*\"}]}"

Step 8: Install Immuta via Helm

Authenticate Helm to the Immuta registry

echo "${IMMUTA_TOKEN}" | helm registry login --password-stdin --username "${IMMUTA_USER}" ocir.immuta.com

Deploy Immuta

helm upgrade --install -n ${NAMESPACE} immuta \
    oci://ocir.immuta.com/stable/immuta-enterprise \
    --version ${IMMUTA_VERSION} \
    -f immuta-values.yaml \
    --timeout 10m \
    --wait

Example values

global:
  imageRegistry: <account-id>.dkr.ecr.us-east-1.amazonaws.com
  imageTag: "2026.1.0"
  postgresql:
    host: <rds-endpoint>
    port: 5432
    username: immuta
    password: <immuta-db-password>
    ssl: true
audit:
  enabled: true
  postgresql:
    database: immuta
  config:
    elasticsearchEndpoint: https://<opensearch-endpoint>/
    elasticsearchUsername: immuta-audit-service
    elasticsearchPassword: <your-opensearch-password>
secure:
  extraConfig:
    publicImmutaUrl: https://<your-immuta-hostname>
  postgresql:
    database: immuta
  ingress:
    annotations:
      alb.ingress.kubernetes.io/backend-protocol: HTTP
      alb.ingress.kubernetes.io/group.name: immuta
      alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
      alb.ingress.kubernetes.io/scheme: internet-facing
      alb.ingress.kubernetes.io/ssl-redirect: "443"
      alb.ingress.kubernetes.io/target-type: ip
    ingressClassName: alb
    hostname: <your-immuta-hostname>
    tls: true
temporal:
  enabled: true
  schema:
    createDatabase:
      enabled: false
  server:
    extraVolumes:
    - name: secret-with-certs
      secret:
        secretName: secret-with-certs
    extraVolumeMounts:
    - name: secret-with-certs
      mountPath: /certs/
    config:
      persistence:
        default:
          sql:
            database: temporal
            tls:
              enabled: true
              caFile: /certs/global-bundle.pem
        visibility:
          sql:
            database: temporal_visibility
            tls:
              enabled: true
              caFile: /certs/global-bundle.pem
    username: immuta
    password: <immuta-db-password>

Additional Annotations for ALB

All available annotations for the AWS Load Balancer Controller can be found at the link below. It may be worth noting enabling deletion protection via:

alb.ingress.kubernetes.io/load-balancer-attributes: deletion_protection.enabled=true

Annotations - AWS Load Balancer Controllerkubernetes-sigs.github.io

PreviousDeployment Overview NextAzure Deployment (AKS)

Last updated 27 days ago

hashtagPrerequisites

hashtagRequired Variables

hashtagStep 1: Create Container Repositories in ECR

hashtagStep 2: Copy Immuta Images to ECR

hashtagAuthenticate to ECR

hashtagAuthenticate to Immuta Registry

hashtagCopy images

hashtagStep 3: Deploy EKS Cluster

hashtagCreate the cluster

hashtagCreate service accounts for EBS CSI Driver and Load Balancer Controller

hashtagEnable the EBS CSI Driver Addon

hashtagDeploy the AWS Load Balancer Controller

hashtagDeploy external-dns

hashtagStep 4: Create RDS Instance in EKS VPC

hashtagStep 5: Configure PostgreSQL Databases

hashtagGet the RDS endpoint

hashtagCreate the namespace

hashtagCreate the Immuta role and databases

hashtagStep 6: Download RDS CA Bundle

hashtagStep 7: Create an OpenSearch Domain

hashtagStep 8: Install Immuta via Helm

hashtagAuthenticate Helm to the Immuta registry

hashtagDeploy Immuta

hashtagExample values

hashtagAdditional Annotations for ALB

Prerequisites

Required Variables

Step 1: Create Container Repositories in ECR

Step 2: Copy Immuta Images to ECR

Authenticate to ECR

Authenticate to Immuta Registry

Copy images

Step 3: Deploy EKS Cluster

Create the cluster

Create service accounts for EBS CSI Driver and Load Balancer Controller

Enable the EBS CSI Driver Addon

Deploy the AWS Load Balancer Controller

Deploy external-dns

Step 4: Create RDS Instance in EKS VPC

Step 5: Configure PostgreSQL Databases

Get the RDS endpoint

Create the namespace

Create the Immuta role and databases

Step 6: Download RDS CA Bundle

Step 7: Create an OpenSearch Domain

Step 8: Install Immuta via Helm

Authenticate Helm to the Immuta registry

Deploy Immuta

Example values

Additional Annotations for ALB