Help improve this page
Want to contribute to this user guide? Scroll to the bottom of this page and select Edit this page on GitHub. Your contributions will help make our user guide better for everyone.
Migrating existing aws-auth ConfigMap
entries
to access entries
If you've added entries to the aws-auth
ConfigMap
on your cluster, we recommend that you create access entries for the
existing entries in your aws-auth
ConfigMap
. After creating the access entries, you can remove the entries from
your ConfigMap
. You can't associate access
policies to entries in the aws-auth
ConfigMap
. If you want to associate access polices to your IAM principals,
create access entries.
Important
Don't remove existing aws-auth
ConfigMap
entries that were created by Amazon EKS when you added a managed node group or a Fargate profile to your cluster. If you remove
entries that Amazon EKS created in the ConfigMap
, your cluster won't function
properly. You can however, remove any entries for self-managed node groups after you've created access entries for
them.
Prerequisites
-
Familiarity with access entries and access policies. For more information, see Grant IAM users access to Kubernetes with EKS access entries and Associating and disassociating access policies to and from access entries.
-
An existing cluster with a platform version that is at or later than the versions listed in the Prerequisites of the Allowing IAM roles or users access to Kubernetes objects on your Amazon EKS cluster topic.
-
Version
0.184.0
or later of theeksctl
command line tool installed on your device or AWS CloudShell. To install or updateeksctl
, see Installationin the eksctl
documentation. -
Kubernetes permissions to modify the
aws-auth
ConfigMap
in thekube-system
namespace. -
An AWS Identity and Access Management role or user with the following permissions:
CreateAccessEntry
andListAccessEntries
. For more information, see Actions defined by Amazon Elastic Kubernetes Service in the Service Authorization Reference.
To migrate an entry from your aws-auth ConfigMap
to an access
entry
-
View the existing entries in your
aws-auth ConfigMap
. Replacemy-cluster
with the name of your cluster.eksctl get iamidentitymapping --cluster
my-cluster
An example output is as follows.
ARN USERNAME GROUPS ACCOUNT arn:aws:iam::
111122223333
:role/EKS-my-cluster-Admins Admins system:masters arn:aws:iam::111122223333
:role/EKS-my-cluster-my-namespace-Viewers my-namespace-Viewers Viewers arn:aws:iam::111122223333
:role/EKS-my-cluster-self-managed-ng-1 system:node:{{EC2PrivateDNSName}} system:bootstrappers,system:nodes arn:aws:iam::111122223333
:user/my-user my-user arn:aws:iam::111122223333
:role/EKS-my-cluster-fargateprofile1 system:node:{{SessionName}} system:bootstrappers,system:nodes,system:node-proxier arn:aws:iam::111122223333
:role/EKS-my-cluster-managed-ng system:node:{{EC2PrivateDNSName}} system:bootstrappers,system:nodes -
Create access entries for any of the
ConfigMap
entries that you created returned in the previous output. When creating the access entries, make sure to specify the same values forARN
,USERNAME
,GROUPS
, andACCOUNT
returned in your output. In the example output, you would create access entries for all entries except the last two entries, since those entries were created by Amazon EKS for a Fargate profile and a managed node group. -
Delete the entries from the
ConfigMap
for any access entries that you created. If you don't delete the entry from theConfigMap
, the settings for the access entry for the IAM principal ARN override theConfigMap
entry. Replace111122223333
with your AWS account ID andEKS-my-cluster-my-namespace-Viewers
with the name of the role in the entry in yourConfigMap
. If the entry you're removing is for an IAM user, rather than an IAM role, replacerole
withuser
andEKS-my-cluster-my-namespace-Viewers
with the user name.eksctl delete iamidentitymapping --arn arn:aws:iam::
111122223333
:role/EKS-my-cluster-my-namespace-Viewers
--clustermy-cluster