Help improve this page
Want to contribute to this user guide? Scroll to the bottom of this page and select Edit this page on GitHub. Your contributions will help make our user guide better for everyone.
Migrating existing aws-auth ConfigMap entries
to access entries
If you've added entries to the aws-auth
ConfigMap on your cluster, we recommend that you create access entries for the
existing entries in your aws-auth
ConfigMap. After creating the access entries, you can remove the entries from
your ConfigMap. You can't associate access
policies to entries in the aws-auth
ConfigMap. If you want to associate access polices to your IAM principals,
create access entries.
Important
Don't remove existing aws-auth
ConfigMap entries that were created by Amazon EKS when you added a managed node group or a Fargate profile to your cluster. If you remove
entries that Amazon EKS created in the ConfigMap, your cluster won't function
properly. You can however, remove any entries for self-managed node groups after you've created access entries for
them.
Prerequisites
-
Familiarity with access entries and access policies. For more information, see Manage access entries and Associating and disassociating access policies to and from access entries.
-
An existing cluster with a platform version that is at or later than the versions listed in the Prerequisites of the Allowing IAM roles or users access to Kubernetes objects on your Amazon EKS cluster topic.
-
Version
0.183.0or later of theeksctlcommand line tool installed on your device or Amazon CloudShell. To install or updateeksctl, see Installationin the eksctldocumentation. -
Kubernetes permissions to modify the
aws-authConfigMapin thekube-systemnamespace. -
An Amazon Identity and Access Management role or user with the following permissions:
CreateAccessEntryandListAccessEntries. For more information, see Actions defined by Amazon Elastic Kubernetes Service in the Service Authorization Reference.
To migrate an entry from your aws-auth ConfigMap to an access
entry
-
View the existing entries in your
aws-auth ConfigMap. Replacemy-clusterwith the name of your cluster.eksctl get iamidentitymapping --clustermy-clusterAn example output is as follows.
ARN USERNAME GROUPS ACCOUNT arn:aws-cn:iam::111122223333:role/EKS-my-cluster-Admins Admins system:masters arn:aws-cn:iam::111122223333:role/EKS-my-cluster-my-namespace-Viewers my-namespace-Viewers Viewers arn:aws-cn:iam::111122223333:role/EKS-my-cluster-self-managed-ng-1 system:node:{{EC2PrivateDNSName}} system:bootstrappers,system:nodes arn:aws-cn:iam::111122223333:user/my-user my-user arn:aws-cn:iam::111122223333:role/EKS-my-cluster-fargateprofile1 system:node:{{SessionName}} system:bootstrappers,system:nodes,system:node-proxier arn:aws-cn:iam::111122223333:role/EKS-my-cluster-managed-ng system:node:{{EC2PrivateDNSName}} system:bootstrappers,system:nodes -
Create access entries for any of the
ConfigMapentries that you created returned in the previous output. When creating the access entries, make sure to specify the same values forARN,USERNAME,GROUPS, andACCOUNTreturned in your output. In the example output, you would create access entries for all entries except the last two entries, since those entries were created by Amazon EKS for a Fargate profile and a managed node group. -
Delete the entries from the
ConfigMapfor any access entries that you created. If you don't delete the entry from theConfigMap, the settings for the access entry for the IAM principal ARN override theConfigMapentry. Replace111122223333with your Amazon Web Services account ID andEKS-my-cluster-my-namespace-Viewerswith the name of the role in the entry in yourConfigMap. If the entry you're removing is for an IAM user, rather than an IAM role, replacerolewithuserandEKS-my-cluster-my-namespace-Viewerswith the user name.eksctl delete iamidentitymapping --arn arn:aws-cn:iam::111122223333:role/EKS-my-cluster-my-namespace-Viewers--clustermy-cluster