- Newest
- Most votes
- Most comments
Yes, if you are migrating to the "API" authentication mode in Amazon EKS, you can safely delete the aws-auth ConfigMap after completing the migration.
In the "API" authentication mode, authentication is handled through IAM roles for service accounts (IRSA), and the aws-auth ConfigMap is no longer used to map IAM roles to Kubernetes users or groups. Instead, Kubernetes service accounts are associated directly with IAM roles, and IAM permissions are managed through Kubernetes RBAC (Role-Based Access Control) policies. https://aws.github.io/aws-eks-best-practices/security/docs/iam/
***Once you have migrated to the "API" authentication mode and verified that all your service accounts are correctly associated with IAM roles, you can safely delete the aws-auth ConfigMap. It is no longer needed for authentication purposes in this mode. However, ensure that you have thoroughly tested your cluster after the migration to confirm that all your workloads and applications are functioning as expected with the new authentication setup before deleting the ConfigMap *****
Hope it clarifies and if does I would appreciate answer to be accepted so that community can benefit for clarity, thanks ;)
Relevant content
- Accepted Answerasked 9 days ago
- Accepted Answerasked 2 months ago
- AWS OFFICIALUpdated 25 days ago
The config map can be safely deleted after moving to API mode. But access management and IRSA are completely unrelated. Access management is for external IAM identities to get access inside the cluster. IRSA is for service account identities inside the cluster to get access to AWS. In API mode, access entries are stored in the EKS backend, nothing is inside the cluster.