Amazon Web Services

How to get back access to kubectl lost due to incorrect aws configmap?

Background of the problem: in the AWS console, I saw that for some reason the nodes of our cluster were no longer displayed under my admin (not root). According to the help article , it was necessary to edit the configmap.

I have edited the configmap like this:

apiVersion: v1
data:
  mapRoles:  <default options>
  mapUsers: |
    - userarn: arn:aws:iam::<root id>:root
    username: #здесь оставил значение пустым
      groups:
      - system:bootstrappers
      - system:nodes

It ended up that kubectl responds to all commands with an error of this kind: Error from server (Forbidden): configmaps "aws-auth" is forbidden: User "" cannot get resource "configmaps" in API group "" in the namespace "kube-system"

As far as I understand, I "lowered" the rights of the root user by setting the system:nodes, system:bootstrappers group for him and now he is not in the system:masters

group created a cluster, still has access to its management. But I do not understand how to return access. I reproduced the same error on a new cluster created for this purpose: even if I am root, kubectl still won't let me execute commands.

Update #1
I tried to use the serviceAccount token obtained from the /var/run/secrets/kubernetes.io/serviceaccount/token file in one of the containers.

The get nodes command worked, but I can't edit the configmap

$ kubectl --token=<...> edit configmap aws-auth -n kube-system

Error from server (Forbidden): configmaps "aws-auth" is forbidden: User "system:serviceaccount:kube-system:aws-node" cannot get resource "configmaps" in API group "" in the namespace "kube-system"