Home > other >  Rename the EKS creator's IAM user name via aws cli
Rename the EKS creator's IAM user name via aws cli

Time:09-07

If we have a role change in the team, I read that EKS creator can NOT be transferred. Can we instead rename the creator's IAM user name via aws cli? Will that break EKS?

I only find ways to add new user using configmap but this configmap doesn't have the root user in there.

$ kubectl edit configmap aws-auth --namespace kube-system

CodePudding user response:

There is no way to transfer the root user of an EKS cluster to another IAM user. The only way to do this would be to delete the cluster and recreate it with the new IAM user as the root user.

CodePudding user response:

Can we instead rename the creator's IAM user name via aws cli? Will that break EKS?

The creator record is immutable and managed within EKS. This record is simply not accessible using CLI and not amendable (including DELETE).

How do we know a cluster was created by IAM roles or IAM users?

If you cannot find the identity (userIdentity.arn) in CloudTrail that invoked CreateCluster (eventName) for the cluster (responseElements.clusterName) in last 90 days, you need to raise it to the AWS Support to obtain the identity.

is it safe to delete the creator IAM user?

Typically, you start with deactivate the IAM user account (creator) if you are not sure of any side effect. You can proceed to delete the account later when you are confident to do so.

CodePudding user response:

As already mentioned in the answer by Muhammad, it is not possible to transfer the root/creator role to another IAM user.

To avoid getting into the situation that you describe, or any other situation where the creator of the cluster should not stay root, it is recommended to not create clusters with IAM users but with assumed IAM roles instead.

This leads to the IAM role becoming the "creator", meaning that you can use IAM access management to control who can actually assume the given role und thus act as root.

You can either have dedicated roles for each cluster or one role for multiple clusters, depending on how you plan to do access management. The limits will however apply later, meaning that you can not switch the creator role afterwards, so this must be properly planned in advance.

  • Related