AWS EKS Lost access to cluster

Question

After updating the config-map with kubectl, anyone can't access to the cluster. I tried with several users and trying to switching the role, but with no luck. I read similar case here but:

• As one comment states, I get a token from another service, but that token hasn't the permissions to update the config-map in kube-system namespace
• I'm trying to login as the root user, but I'm not able to find the user creator, I tried with some existing user, but it continues to give me access denied. How can I find the arn of the user creator?

I don't know if there's some other solutions. Any help would be appreciated.

---

UPDATE

After spend several days facing the issue I didn't find any solution, I resolved opening a ticket support to AWS. They told me the cluster's owner and fixed the config-map (take in consideration that the IT support will not resolve the issue immediately).

Answer 1

As stated in your update, cloudtrail will not have the cluster creator if the EKS cluster is >90 days old.

Preferably, you used an IAM role (instead of a user) to create the cluster. If you're using an IAM user to create the cluster, it's your responsibility to keep track of the IAM user's ARN in the event that access for all other roles is lost.

To restore access to the cluster, you would need to recreate the cluster creator's IAM user, gain access to it, and restore the aws-auth configmap using that user's access keys.

Answer 2

aws eks describe-cluster should give you the ARN of the creator under "roleArn".

Source: https://docs.aws.amazon.com/cli/latest/reference/eks/describe-cluster.html

Answer 3

If it boils down to figure out which IAM user/role you used to create the cluster some users had luck by searching in the CloudTrail logs for the CreateCluster operation.