This is actually pretty well described in the docs.
Before you create worker nodes, you must create an IAM role with thefollowing IAM policies:
AmazonEKSWorkerNodePolicy
AmazonEKS_CNI_Policy
AmazonEC2ContainerRegistryReadOnly
Also you need to make sure that this role could be assumed by EKS.
{"Version": "2012-10-17","Statement": [ {"Effect": "Allow","Principal": {"Service": "ec2.amazonaws.com" },"Action": "sts:AssumeRole" } ]}