Migrating existing aws-auth ConfigMap entries to access entries - Amazon EKS
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Help improve this page

Want to contribute to this user guide? Choose the Edit this page on GitHub link that is located in the right pane of every page. Your contributions will help make our user guide better for everyone.

Migrating existing aws-auth ConfigMap entries to access entries

If you’ve added entries to the aws-auth ConfigMap on your cluster, we recommend that you create access entries for the existing entries in your aws-auth ConfigMap. After creating the access entries, you can remove the entries from your ConfigMap. You can’t associate access policies to entries in the aws-auth ConfigMap. If you want to associate access polices to your IAM principals, create access entries.

Important

Don’t remove existing aws-auth ConfigMap entries that were created by Amazon EKS when you added a managed node group or a Fargate profile to your cluster. If you remove entries that Amazon EKS created in the ConfigMap, your cluster won’t function properly. You can however, remove any entries for self-managed node groups after you’ve created access entries for them.

Prerequisites

eksctl

  1. View the existing entries in your aws-auth ConfigMap. Replace my-cluster with the name of your cluster.

    eksctl get iamidentitymapping --cluster my-cluster

    An example output is as follows.

    ARN                                                                                             USERNAME                                GROUPS                                                  ACCOUNT
    arn:aws-cn:iam::111122223333:role/EKS-my-cluster-Admins                                            Admins                                  system:masters
    arn:aws-cn:iam::111122223333:role/EKS-my-cluster-my-namespace-Viewers                              my-namespace-Viewers                    Viewers
    arn:aws-cn:iam::111122223333:role/EKS-my-cluster-self-managed-ng-1                                 system:node:{{EC2PrivateDNSName}}       system:bootstrappers,system:nodes
    arn:aws-cn:iam::111122223333:user/my-user                                                          my-user
    arn:aws-cn:iam::111122223333:role/EKS-my-cluster-fargateprofile1                                   system:node:{{SessionName}}             system:bootstrappers,system:nodes,system:node-proxier
    arn:aws-cn:iam::111122223333:role/EKS-my-cluster-managed-ng                                        system:node:{{EC2PrivateDNSName}}       system:bootstrappers,system:nodes
  2. Create access entries for any of the ConfigMap entries that you created returned in the previous output. When creating the access entries, make sure to specify the same values for ARN, USERNAME, GROUPS, and ACCOUNT returned in your output. In the example output, you would create access entries for all entries except the last two entries, since those entries were created by Amazon EKS for a Fargate profile and a managed node group.

  3. Delete the entries from the ConfigMap for any access entries that you created. If you don’t delete the entry from the ConfigMap, the settings for the access entry for the IAM principal ARN override the ConfigMap entry. Replace 111122223333 with your Amazon account ID and EKS-my-cluster-my-namespace-Viewers with the name of the role in the entry in your ConfigMap. If the entry you’re removing is for an IAM user, rather than an IAM role, replace role with user and EKS-my-cluster-my-namespace-Viewers with the user name.

    eksctl delete iamidentitymapping --arn arn:aws-cn:iam::111122223333:role/EKS-my-cluster-my-namespace-Viewers --cluster my-cluster