0

I accidentally broke my access to EKS cluster by running the following command: eksctl create iamidentitymapping --cluster eks-ci --region eu-west-2 --profile eks-ci --arn arn:aws:iam::********:role/eks-ci-role --group developers --username test-eks-ci-user

Problem is that the cluster has been created with an assumed role, so I cannot access at all to my cluster to update the aws-auth configmap back to normal.

I also found this answer : Mistakenly updated configmap aws-auth with rbac & lost access to the cluster

But unfortunately, I have no pods running with enough permissions to edit the configmap to normal...

Any idea how to fix this issue?

theplayer777
  • 163
  • 1
  • 15
  • if you are having complete access to your AWS account you can assume the role with which you created the eks cluster that Role will by default get access to cluster – Vishwas Karale Mar 05 '22 at 10:57

2 Answers2

0

You can assume the role which created the cluster (cluster creator's role). Please follow this blog by AWS.

Vidushi Bansal
  • 1
  • 2
0

Sorry for the translation done with Google. My English fluency is poor.

If you broke the EKS aws-auth ConfigMap, it is very likely that you will no longer be able to access your cluster without AWS intervention.

I participated in a similar problem and to solve the case I had to rely on support from AWS support.

I created two new IAM roles (one for the cluster and other for the worker nodes) by copying the ones I already had, so I opened a ticket in AWS and asked to replace the roles with these new ones, as well as reset the aws-auth me sending a copy of the definition that was broken.

As I had Business support, the solution of the case took less than 02 hours.

To prevent this issue from happening again, follow this recommendation: https://aws.github.io/aws-eks-best-practices/security/docs/iam/#use-tools-to-make-changes-to-the-aws-auth-configmap

Sandro Cicero
  • 1