Skip to content

Manage IAM users and roles

EKS clusters use IAM users and roles to control access to the cluster. The rules are implemented in a config map called aws-auth. eksctl provides commands to read and edit this config map.

Get all identity mappings:

eksctl get iamidentitymapping --cluster <clusterName> --region=<region>

Get all identity mappings matching an arn:

eksctl get iamidentitymapping --cluster <clusterName> --region=<region> --arn arn:aws:iam::123456:role/testing-role

Create an identity mapping:

 eksctl create iamidentitymapping --cluster  <clusterName> --region=<region> --arn arn:aws:iam::123456:role/testing --group system:masters --username admin

Delete an identity mapping:

eksctl delete iamidentitymapping --cluster  <clusterName> --region=<region> --arn arn:aws:iam::123456:role/testing


Above command deletes a single mapping FIFO unless --all is given in which case it removes all matching. Will warn if more mappings matching this role are found.

Create an account mapping:

 eksctl create iamidentitymapping --cluster  <clusterName> --region=<region> --account user-account

Delete an account mapping:

 eksctl delete iamidentitymapping --cluster  <clusterName> --region=<region> --account user-account
Back to top