Migrating existing aws-auth ConfigMap entries to access entries
If you’ve added entries to the aws-auth
ConfigMap on your cluster, we recommend that you create access entries for the existing entries in your aws-auth
ConfigMap. After creating the access entries, you can remove the entries from your ConfigMap. You can’t associate Associate access policies with access entriesaccess policies to entries in the aws-auth
ConfigMap. If you want to associate access polices to your IAM principals, create access entries.
Important
Don’t remove existing aws-auth
ConfigMap entries that were created by Amazon EKS when you added a Simplify node lifecycle with managed node groupsmanaged node group or a Define which Pods use AWS Fargate when launchedFargate profile to your cluster. If you remove entries that Amazon EKS created in the ConfigMap, your cluster won’t function properly. You can however, remove any entries for Maintain nodes yourself with self-managed nodesself-managed node groups after you’ve created access entries for them.
-
Familiarity with access entries and access policies. For more information, see Grant IAM users access to Kubernetes with EKS access entries and Associate access policies with access entries.
-
An existing cluster with a platform version that is at or later than the versions listed in the Prerequisites of the Grant IAM users access to Kubernetes with EKS access entriesAllowing IAM roles or users access to Kubernetes objects on your Amazon EKS cluster topic.
-
Version
0.194.0or later of theeksctlcommand line tool installed on your device or AWS CloudShell. To install or updateeksctl, see Installationin the eksctldocumentation. -
Kubernetes permissions to modify the
aws-authConfigMapin thekube-systemnamespace. -
An AWS Identity and Access Management role or user with the following permissions:
CreateAccessEntryandListAccessEntries. For more information, see Actions defined by Amazon Elastic Kubernetes Service in the Service Authorization Reference.-
View the existing entries in your
aws-auth ConfigMap. Replacemy-clusterwith the name of your cluster.eksctl get iamidentitymapping --cluster my-clusterAn example output is as follows.
ARN USERNAME GROUPS ACCOUNT arn:aws:iam::111122223333:role/EKS-my-cluster-Admins Admins system:masters arn:aws:iam::111122223333:role/EKS-my-cluster-my-namespace-Viewers my-namespace-Viewers Viewers arn:aws:iam::111122223333:role/EKS-my-cluster-self-managed-ng-1 system:node:{{EC2PrivateDNSName}} system:bootstrappers,system:nodes arn:aws:iam::111122223333:user/my-user my-user arn:aws:iam::111122223333:role/EKS-my-cluster-fargateprofile1 system:node:{{SessionName}} system:bootstrappers,system:nodes,system:node-proxier arn:aws:iam::111122223333:role/EKS-my-cluster-managed-ng system:node:{{EC2PrivateDNSName}} system:bootstrappers,system:nodes -
Create access entriesCreate access entries for any of the
ConfigMapentries that you created returned in the previous output. When creating the access entries, make sure to specify the same values forARN,USERNAME,GROUPS, andACCOUNTreturned in your output. In the example output, you would create access entries for all entries except the last two entries, since those entries were created by Amazon EKS for a Fargate profile and a managed node group. -
Delete the entries from the
ConfigMapfor any access entries that you created. If you don’t delete the entry from theConfigMap, the settings for the access entry for the IAM principal ARN override theConfigMapentry. Replace111122223333with your AWS account ID andEKS-my-cluster-my-namespace-Viewerswith the name of the role in the entry in yourConfigMap. If the entry you’re removing is for an IAM user, rather than an IAM role, replacerolewithuserandEKS-my-cluster-my-namespace-Viewerswith the user name.eksctl delete iamidentitymapping --arn arn:aws:iam::111122223333:role/EKS-my-cluster-my-namespace-Viewers --cluster my-cluster
-
