Update aws-auth Configmap for Access to Existing EKS Clusters

You must edit the aws-auth configmap to give the cluster lifecycle role access to the EKS cluster.

Prerequisites

You must have an account credential to provide access to your AWS account, as described in Create an Account Credential for EKS Cluster Lifecycle Management.

Procedure

Connect to your AWS account via AWS CLI.

Run the following command to add a new kubeconfig context for the cluster you want to bring under Tanzu Mission Control management:

aws eks update-kubeconfig --name mycluster-name --kubeconfig mykubeconfig-name --region myregion-name

For example:

aws eks update-kubeconfig --name myusername-cna-eksattached --kubeconfig myusername-cna-eksattached.yaml --region east

Run the following command to get the aws-auth configmap:

kubectl get configmap -n kube-system aws-auth -o yaml --kubeconfig=path-to/kubeconfig

For example:

kubectl get configmap -n kube-system aws-auth -o yaml --kubeconfig=myusername-cna-eksattached.yaml

Note: The aws-auth configmap is not created until there is at least one node group associated with the cluster.

Run the following command to create a new group and cluster role binding:

kubectl create clusterrolebinding my-cluster-rolebinding-name \
--clusterrole=cluster-admin \
--group=mygroup-name \
--kubeconfig=mykubeconfig-name

For example:

kubectl create clusterrolebinding my-privileged-cluster-role-binding \
--clusterrole=cluster-admin \
--group=tmc-cluster-access \
--kubeconfig=myusername-cna-eksattached.yaml

Run the following command to edit the aws-auth configmap:

kubectl edit configmaps -n kube-system aws-auth -o yaml --kubeconfig=mykubeconfig-name

For example:

kubectl edit configmaps -n kube-system aws-auth -o yaml --kubeconfig=myusername-cna-eksattached.yaml

Add the following code block to the mapRoles section of the aws-auth configmap:
```
- groups:
  - mygroup-name 
  rolearn: my-TMC-EKS-credential-ARN
```
For example:
```
- groups:
  - tmc-cluster-access
  rolearn: arn:aws:iam::1234567890:role/clusterlifecycle.1234567890.eks.tmc.cloud.vmware.com
```
Note: To gather the role created by the CloudFormation Stack ARN:
1. From the AWS Console, navigate to CloudFormation > Stacks.
2. Select the stack which corresponds to the appropriate credential.
Tanzu Mission Control adds a label key to help map your EKS credential to the appropriate CloudFormation stack (for example, eks-tmc-cloud-vmware-com-1234567812345678165).

(Optional) Run the following command to validate changes to and formatting of the aws-auth configmap:

kubectl get configmap aws-auth -n kube-system -o yaml --kubeconfig=mykubeconfig-name

For example:

kubectl get configmap aws-auth -n kube-system -o yaml --kubeconfig=myusername-cna-eksattached.yaml