Can I safely delete the aws-auth ConfigMap when migrating to the "API" auth mode in EKS?


This doc: has a warning regarding managed node groups/fargate profiles when migrating from aws-auth ConfigMap to access entries


Don't remove existing aws-auth ConfigMap entries that were created by Amazon EKS when you added a managed node group or a Fargate profile to your cluster. If you remove entries that Amazon EKS created in the ConfigMap, your cluster won't function properly. You can however, remove any entries for self-managed node groups after you've created access entries for them.

However, as far as I understood, when the cluster is in "API" auth mode, the ConfigMap is no longer of any use

It is safe to delete after making the switch?

1 Answer
Accepted Answer

Yes, if you are migrating to the "API" authentication mode in Amazon EKS, you can safely delete the aws-auth ConfigMap after completing the migration.

In the "API" authentication mode, authentication is handled through IAM roles for service accounts (IRSA), and the aws-auth ConfigMap is no longer used to map IAM roles to Kubernetes users or groups. Instead, Kubernetes service accounts are associated directly with IAM roles, and IAM permissions are managed through Kubernetes RBAC (Role-Based Access Control) policies.

***Once you have migrated to the "API" authentication mode and verified that all your service accounts are correctly associated with IAM roles, you can safely delete the aws-auth ConfigMap. It is no longer needed for authentication purposes in this mode. However, ensure that you have thoroughly tested your cluster after the migration to confirm that all your workloads and applications are functioning as expected with the new authentication setup before deleting the ConfigMap *****

Hope it clarifies and if does I would appreciate answer to be accepted so that community can benefit for clarity, thanks ;)

profile picture
answered 3 months ago
profile picture
reviewed a month ago
profile picture
reviewed a month ago
  • The config map can be safely deleted after moving to API mode. But access management and IRSA are completely unrelated. Access management is for external IAM identities to get access inside the cluster. IRSA is for service account identities inside the cluster to get access to AWS. In API mode, access entries are stored in the EKS backend, nothing is inside the cluster.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions