Bootstrap FreeKB - Amazon Web Services (AWS) Elastic Kubernetes Service (EKS) - Remove user or role from aws-auth Config Map using the eksctl CLI
Amazon Web Services (AWS) Elastic Kubernetes Service (EKS) - Remove user or role from aws-auth Config Map using the eksctl CLI
Updated:   |  Amazon Web Services (AWS) Elastic Kubernetes Service (EKS) articles

This assumes you have downloaded and installed the eksctl CLI. If not, check out my article download the eksctl CLI.

Both the AWS CLI and the eksctl CLI can be used to list your Elastic Kubernetes Service (EKS) Clusters.

The eksctl get clusters command can be used to list your Elastic Kubernetes Service (EKS) Clusters.

~]$ eksctl get clusters
NAME                REGION          EKSCTL CREATED
my-cluster-1        us-east-1       True
my-cluster-2        us-east-1       False

 

This will use the default profile in your hidden AWS credentials file (e.g. /home/john.doe/.aws/credentials). For example, if your hidden AWS credentials file has the following, the default credential would be used.

~]$ cat /home/john.doe/.aws/credentials 
[default]
aws_secret_access_key = ABCDEFG123456789ABCDEFG123456789ABCDEFG12
aws_access_key_id = ABCDEFG123456789ABCD

 

Or, the --profile flag could be used to use some other profile in your hidden AWS credentials file.

~]$ eksctl get clusters --profile johndoe
NAME                REGION          EKSCTL CREATED
my-cluster-1        us-east-1       True
my-cluster-2        us-east-1       False

 

And then the eksctl get iamidentitymapping command can be used to list the roles and users in the aws-auth Config Map in the EKS Cluster.

~]$ eksctl get iamidentitymapping --cluster my-cluster
ARN                                                             USERNAME                                GROUPS                                  ACCOUNT
arn:aws:iam::123456789012:role/my-role    system:node:{{EC2PrivateDNSName}}       system:bootstrappers,system:nodes
arn:aws:iam::123456789012:user/johndoe                          johndoe

 

This is basically displaying the mapUsers and mapRoles in the aws-auth Config Map.

{
  "kind": "ConfigMap",
  "apiVersion": "v1",
  "metadata": {
    "name": "aws-auth",
    "namespace": "kube-system"
  },
  "data": {
    "mapRoles": "- groups:\n  - system:bootstrappers\n  - system:nodes\n  rolearn: arn:aws:iam::123456789012:role/my-cluster-node\n  username: system:node:{{EC2PrivateDNSName}}\n",
    "mapUsers": "- userarn: arn:aws:iam::123456789012:user/johndoe\n  username: johndoe\n"
  }
}

 

The eksctl delete iamidentitymapping command can be used to removed users and roles from the aws-auth Config Map.

~]# eksctl delete iamidentitymapping --cluster my-cluster --region us-east-1 --arn arn:aws:iam::123456789012:user/johndoe
2023-11-03 06:27:41 [ℹ]  removing identity "arn:aws:iam::123456789012:user/johndoe" from auth ConfigMap (username = "johndoe", groups = [])

 

Now the eksctl get iamidentitymapping command should now show that the user or role is no longer listed.

~]$ eksctl get iamidentitymapping --cluster my-cluster
ARN                                                             USERNAME                                GROUPS                                  ACCOUNT
arn:aws:iam::123456789012:role/my-role    system:node:{{EC2PrivateDNSName}}       system:bootstrappers,system:nodes

 

And likewise, the aws-auth Config Map should also no longer have the user or role that you removed.

{
  "kind": "ConfigMap",
  "apiVersion": "v1",
  "metadata": {
    "name": "aws-auth",
    "namespace": "kube-system"
  },
  "data": {
    "mapRoles": "- groups:\n  - system:bootstrappers\n  - system:nodes\n  rolearn: arn:aws:iam::123456789012:role/my-cluster-node\n  username: system:node:{{EC2PrivateDNSName}}\n"
  }
}

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 9b5055 in the box below so that we can be sure you are a human.