AWS EKS Lost access to cluster
Question
After updating the config-map with kubectl, anyone can't access to the cluster. I tried with several users and trying to switching the role, but with no luck. I read similar case here but:
- As one comment states, I get a token from another service, but that token hasn't the permissions to update the config-map in kube-system namespace
- I'm trying to login as the root user, but I'm not able to find the user creator, I tried with some existing user, but it continues to give me access denied. How can I find the arn of the user creator?
I don't know if there's some other solutions. Any help would be appreciated.
UPDATE
After spend several days facing the issue I didn't find any solution, I resolved opening a ticket support to AWS. They told me the cluster's owner and fixed the config-map (take in consideration that the IT support will not resolve the issue immediately).
3 answers
solution1
1 2021-10-14 09:49:42
如果归结为找出您用于创建集群的 IAM 用户/角色,那么一些用户通过在CloudTrail 日志中搜索CreateCluster操作很幸运。
solution2
1 2022-05-23 22:22:42
As stated in your update, cloudtrail will not have the cluster creator if the EKS cluster is >90 days old.
Preferably, you used an IAM role (instead of a user) to create the cluster. If you're using an IAM user to create the cluster, it's your responsibility to keep track of the IAM user's ARN in the event that access for all other roles is lost.
To restore access to the cluster, you would need to recreate the cluster creator's IAM user, gain access to it, and restore the aws-auth configmap using that user's access keys.
solution3
0 2022-04-01 14:00:40
aws eks describe-cluster should give you the ARN of the creator under "roleArn".
Source: https://docs.aws.amazon.com/cli/latest/reference/eks/describe-cluster.html
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.