diff --git a/examples/full-cluster/common-services/cert.tf b/examples/full-cluster/common-services/cert.tf
index 17ce8b7..1202841 100644
--- a/examples/full-cluster/common-services/cert.tf
+++ b/examples/full-cluster/common-services/cert.tf
@@ -45,81 +45,3 @@ Ask for the certificate to be signed with the Linux (v2) PKI CA with the command
 EOM
 }
 
-## resource "tls_private_key" "ca" {
-##   algorithm = "RSA"
-##   rsa_bits  = 4096
-## }
-## 
-## resource "tls_cert_request" "ca" {
-##   key_algorithm   = "RSA"
-##   private_key_pem = tls_private_key.ca.private_key_pem
-## 
-##   dns_names = local.ca_cert_san
-##   subject {
-##     common_name         = local.ca_dns_name
-##     organizational_unit = local.ca_ou
-##     organization        = "U.S. Census Bureau"
-##     country             = "US"
-##   }
-## }
-## 
-## resource "null_resource" "ca_root_cert" {
-##   provisioner "local-exec" {
-##     command = "test -d certs || mkdir certs"
-##   }
-##   provisioner "local-exec" {
-##     command = "curl -o ${local.ca_root_filename} http://ca.apps.tco.census.gov/certs/ca"
-##   }
-## }
-## 
-## resource "null_resource" "ca_files" {
-##   triggers = {
-##     ca_key_public = sha256(tls_private_key.ca.public_key_pem)
-##     ca_csr        = sha256(tls_cert_request.ca.cert_request_pem)
-##   }
-## 
-##   # get key
-##   provisioner "local-exec" {
-##     command = "test -d certs || mkdir certs"
-##   }
-##   provisioner "local-exec" {
-##     command = "echo '${tls_private_key.ca.private_key_pem}' > certs/${local.ca_dns_name}.key"
-##   }
-##   provisioner "local-exec" {
-##     command = "echo '${tls_private_key.ca.public_key_pem}' > certs/${local.ca_dns_name}.public_key"
-##   }
-##   # get csr
-##   provisioner "local-exec" {
-##     command = "echo '${tls_cert_request.ca.cert_request_pem}' > certs/${local.ca_dns_name}.csr"
-##   }
-## 
-##   # detail how to get certs
-##   provisioner "local-exec" {
-##     command = "echo 'add the key file to .gitignore, add it to git-secret, and hide it.  Then add the .secret to git'"
-##   }
-##   provisioner "local-exec" {
-##     command = "echo 'now submit file to TCO for signing and return the result as below:\n  csr = certs/${local.ca_dns_name}.csr\n  cert = certs/${local.ca_dns_name}.crt\n'"
-##   }
-##   provisioner "local-exec" {
-##     command = "echo command = ./sign-subordinate-ca-cert.sh ${local.ca_dns_name}.csr 'c=US,o=U.S. Census Bureau,OU=PKI,ou=EKS,ou=${var.vpc_full_name},ou=${var.cluster_name},cn=${local.ca_dns_name}' 730"
-##   }
-##   provisioner "local-exec" {
-##     command = "echo 'curl -O http://ca.apps.tco.census.gov/certs/server?host=${local.ca_dns_name}&format=crt&download=1'"
-##   }
-## }
-## 
-## resource "null_resource" "ca_cert" {
-##   count = local.ca_cert_download ? 1 : 0
-##   # get cert
-##   provisioner "local-exec" {
-##     command = "curl -o ${path.root}/certs/${local.ca_dns_name}.crt 'http://ca.apps.tco.census.gov/certs/server?host=${local.ca_dns_name}&format=crt&download=1'"
-##   }
-## }
-## 
-## resource "local_file" "ca_bundle_cert" {
-##   count = local.ca_cert_download && local.ca_cert_exists && local.ca_root_exists && length(local.ca_bundle_contents) > 0 ? 1 : 0
-## 
-##   content         = local.ca_bundle_contents
-##   filename        = local.ca_bundle_filename
-##   file_permission = "0644"
-## }
diff --git a/examples/full-cluster/common-services/tf-run.data b/examples/full-cluster/common-services/tf-run.data
index b5748b2..151539a 100644
--- a/examples/full-cluster/common-services/tf-run.data
+++ b/examples/full-cluster/common-services/tf-run.data
@@ -1,4 +1,4 @@
-VERSION 1.1.3
+VERSION 1.1.4
 REMOTE-STATE
 COMMAND tf-directory-setup.py -l none -f
 COMMAND setup-new-directory.sh
@@ -15,6 +15,7 @@ STOP once that is available, change cert_download to true
 module.cert
 module.cert
 ALL
+ALL
 
 COMMENT run: git-secret add certs/*.key; git-secret hide
 COMMENT be sure to add all files to git, and be sure to commit -a to get .gitsecret/ changes
diff --git a/examples/scripts/create-iam-config.sh b/examples/scripts/create-iam-config.sh
new file mode 100755
index 0000000..9bb68f1
--- /dev/null
+++ b/examples/scripts/create-iam-config.sh
@@ -0,0 +1,63 @@
+#!/bin/bash
+
+PROFILE=$1
+CLUSTER=$2
+REGION=$3
+
+if [ -z "$PROFILE" ]
+then
+  PROFILE=$(grep -E '^\bprofile\b *' *tfvars| sed -e 's/^.*profile.* =//' -e 's/\"//g' -e 's/^ *//' | head -n 1)
+fi
+if [ -z "$PROFILE" ]
+then
+  echo "* unable to determine profile, please pass as argument 1"
+  exit 1
+else
+  echo "* using profile $PROFILE"
+fi
+
+if [ -z "$CLUSTER" ]
+then
+  CLUSTER=$(grep -E '^\bcluster_name\b *' settings.auto.tfvars| sed -e 's/^.*cluster_name.* =//' -e 's/\"//g' -e 's/^ *//' | head -n 1)
+fi
+if [ -z "$CLUSTER" ]
+then
+  echo "* unable to determine cluster name, please pass as argument 2"
+  exit 1
+else
+  echo "* using cluster $CLUSTER"
+fi
+
+ADMINROLE=$(terraform output role_cluster-admin-role_arn)
+if [ -z "$ADMINROLE" ]
+then
+  echo "* unable to determine cluster $CLUSTER admin role.  Check that you are in the correct directory an terraform has been run"
+  exit 1
+fi
+
+if [ -z "$REGION" ]
+then
+  echo "* getting region from profile $PROFILE"
+  REGION=$(aws configure --profile $PROFILE get region)
+else
+  echo "* using region $REGION"
+fi
+
+NEWPROFILE="$PROFILE-eks-$CLUSTER"
+EXISTS=$(aws configure list-profiles | grep -c "^$NEWPROFILE$")
+
+if [ $EXISTS == 0 ]
+then
+  echo "* creating new configuration profile $NEWPROFILE for assume role $ADMINROLE"
+else
+  echo "* replacing configuration for profile $NEWPROFILE for assume role $ADMINROLE"
+fi
+echo ""
+
+( echo "aws configure set profile.$NEWPROFILE.source_profile $PROFILE" ; \
+  echo "aws configure set profile.$NEWPROFILE.region $REGION" ; \
+  echo "aws configure set profile.$NEWPROFILE.role_arn $ADMINROLE" ; \
+  echo "aws configure set profile.$NEWPROFILE.role_session_name $USER" ) | sh -x
+
+echo ""
+echo "* test with: aws --profile $NEWPROFILE sts get-caller-identity"
diff --git a/examples/scripts/get-cluster-kubeconfig.sh b/examples/scripts/get-cluster-kubeconfig.sh
new file mode 100755
index 0000000..ac87277
--- /dev/null
+++ b/examples/scripts/get-cluster-kubeconfig.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+PROFILE=$1
+CLUSTER=$2
+REGION=$3
+
+if [ -z "$PROFILE" ]
+then
+  PROFILE=$(grep -E '^\bprofile\b *' *tfvars| sed -e 's/^.*profile.* =//' -e 's/\"//g' -e 's/^ *//' | head -n 1)
+fi
+if [ -z "$PROFILE" ]
+then
+  echo "* unable to determine profile, please pass as argument 1"
+  exit 1
+else
+  echo "* using profile $PROFILE"
+fi
+
+if [ -z "$CLUSTER" ]
+then
+  CLUSTER=$(grep -E '^\bcluster_name\b *' settings.auto.tfvars| sed -e 's/^.*cluster_name.* =//' -e 's/\"//g' -e 's/^ *//' | head -n 1)
+fi
+if [ -z "$CLUSTER" ]
+then
+  echo "* unable to determine cluster name, please pass as argument 2"
+  exit 1
+else
+  echo "* using cluster $CLUSTER"
+fi
+
+if [ -z "$REGION" ]
+then
+  echo "* getting region from profile $PROFILE"
+  REGION=$(aws configure --profile $PROFILE get region)
+else
+  echo "* using region $REGION"
+fi
+
+NEWPROFILE="$PROFILE-eks-$CLUSTER"
+EXISTS=$(aws configure list-profiles | grep -c "^$NEWPROFILE$")
+
+( echo "aws --profile $NEWPROFILE eks update-kubeconfig --name $CLUSTER --kubeconfig $CLUSTER.kube.config" ) | sh -x