No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hi, can anyone explain to me please how `aws-auth` config map is pupulated with the role?
My cluster was provisioned with a different role and I had to then run `eksctl create iamidentitymapping`.
We are using `@pulumi/eks` 2.8.1 with the local zone vpc.
Can you also chime in how painful the update to v3 might be?

What role are you trying to add to `aws-auth`? You should be able to patch the ConfigMap.

Also note that `aws-auth` is deprecated in favor of <https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html|access entries>. Example for granting access to an IAM role: <https://github.com/pulumi/pulumi-eks/blob/dc8f5bbea5bf9a3ed11a29cfc91bf8da4f318b44/examples/cluster-py/__main__.py#L67-L80>

Hey, the additional role you've created using `eksctl` can also be created by the component using the `roleMappings` property (<https://www.pulumi.com/registry/packages/eks/api-docs/cluster/#rolemappings_nodejs>). That way there's no drift between the configmap and IaC.

This doc here should give you an idea of what needs to be done for the v3 migration: <https://www.pulumi.com/registry/packages/eks/how-to-guides/v3-migration/#gracefully-upgrading-node-groups>

But as Kilian said, aws-auth was deprecated by aws, I'd recommend using the access entries instead

Thank you!
I will take a look at access entries.
Right now I am afraid how is this going to play out with AWS SSO roles.
Also I hope that v3 won’t mess with our setup specific to vpc local zone :slightly_smiling_face: