Content Comparison

1. Check to see if you have already applied the aws-auth ConfigMap.

kubectl describe configmap -n kube-system aws-auth

1.1 Download, edit, and apply the AWS authenticator configuration map.

a 1.1. Download the configuration map

curl -o aws-auth-cm.yaml https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/aws-auth-cm.yaml

b 1.2. Open the file with a text editor. Replace <ARN of instance role (not instance profile)> with the Amazon Resource Name (ARN) of the IAM role associated with your nodes, and save the file. Do not modify any other lines in this file.

...

kubectl edit -n kube-system configmap/aws-auth

Sample ConfigMap:

apiVersion: v1
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::111122223333:role/eksctl-my-cluster-nodegroup-standard-wo-NodeInstanceRole-1WP3NUE3O6UCF
      username: system:node:{{EC2PrivateDNSName}}
kind: ConfigMap
metadata:
  creationTimestamp: "2020-09-30T21:09:18Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "1021"
  selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
  uid: dcc31de5-3838-11e8-af26-02e00430057c

2.2 Add CloudAware IAM role to the configMap.

a. To locate CloudAware IAM role ARN, log in to your Cloudaware account → Admin (under your username in the upper right corner) → Amazon accounts → locate AWS account where the access to EKS should be granted → click SEE ALL in column ‘Connected Identities’'Connected Identities':

b. To add an IAM role (for example, for federated users): add the role details to the mapRoles section of the ConfigMap, under data. Use the section below if it does not already exist in the file. :

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - rolearn: <CLOUDAWARE_ROLE_ARN>
      username: system:node:{{EC2PrivateDNSName}}
      groups:
        - system:masters

...