This assumes you have downloaded and installed the eksctl CLI. If not, check out my article download the eksctl CLI.
Both the AWS CLI and the eksctl CLI can be used to list your Elastic Kubernetes Service (EKS) Clusters.
- aws eks list-clusters
- eksctl get clusters (this article)
The eksctl get clusters command can be used to list your Elastic Kubernetes Service (EKS) Clusters.
~]$ eksctl get clusters
NAME REGION EKSCTL CREATED
my-cluster-1 us-east-1 True
my-cluster-2 us-east-1 False
This will use the default profile in your hidden AWS credentials file (e.g. /home/john.doe/.aws/credentials). For example, if your hidden AWS credentials file has the following, the default credential would be used.
~]$ cat /home/john.doe/.aws/credentials
[default]
aws_secret_access_key = ABCDEFG123456789ABCDEFG123456789ABCDEFG12
aws_access_key_id = ABCDEFG123456789ABCD
Or, the --profile flag could be used to use some other profile in your hidden AWS credentials file.
~]$ eksctl get clusters --profile johndoe
NAME REGION EKSCTL CREATED
my-cluster-1 us-east-1 True
my-cluster-2 us-east-1 False
And then the eksctl get iamidentitymapping command can be used to list the roles and users in the aws-auth Config Map in the EKS Cluster.
~]$ eksctl get iamidentitymapping --cluster my-cluster
ARN USERNAME GROUPS ACCOUNT
arn:aws:iam::123456789012:role/my-role system:node:{{EC2PrivateDNSName}} system:bootstrappers,system:nodes
arn:aws:iam::123456789012:user/johndoe johndoe
This is basically displaying the mapUsers and mapRoles in the aws-auth Config Map.
{
"kind": "ConfigMap",
"apiVersion": "v1",
"metadata": {
"name": "aws-auth",
"namespace": "kube-system"
},
"data": {
"mapRoles": "- groups:\n - system:bootstrappers\n - system:nodes\n rolearn: arn:aws:iam::123456789012:role/my-cluster-node\n username: system:node:{{EC2PrivateDNSName}}\n",
"mapUsers": "- userarn: arn:aws:iam::123456789012:user/johndoe\n username: johndoe\n"
}
}
The eksctl delete iamidentitymapping command can be used to removed users and roles from the aws-auth Config Map.
~]# eksctl delete iamidentitymapping --cluster my-cluster --region us-east-1 --arn arn:aws:iam::123456789012:user/johndoe
2023-11-03 06:27:41 [ℹ] removing identity "arn:aws:iam::123456789012:user/johndoe" from auth ConfigMap (username = "johndoe", groups = [])
Now the eksctl get iamidentitymapping command should now show that the user or role is no longer listed.
~]$ eksctl get iamidentitymapping --cluster my-cluster
ARN USERNAME GROUPS ACCOUNT
arn:aws:iam::123456789012:role/my-role system:node:{{EC2PrivateDNSName}} system:bootstrappers,system:nodes
And likewise, the aws-auth Config Map should also no longer have the user or role that you removed.
{
"kind": "ConfigMap",
"apiVersion": "v1",
"metadata": {
"name": "aws-auth",
"namespace": "kube-system"
},
"data": {
"mapRoles": "- groups:\n - system:bootstrappers\n - system:nodes\n rolearn: arn:aws:iam::123456789012:role/my-cluster-node\n username: system:node:{{EC2PrivateDNSName}}\n"
}
}
Did you find this article helpful?
If so, consider buying me a coffee over at