When managing Amazon Elastic Kubernetes Service (EKS) clusters, identifying the cluster creator can sometimes be necessary for governance, auditing, or troubleshooting. AWS provides multiple ways to retrieve this information, depending on the cluster’s creation time and logging configurations. This article outlines two approaches for discovering the cluster creator based on available data.
Scenario 1: Cluster Created Within 90 Days
For clusters created within the last 90 days, the CreateCluster API call is your best bet. AWS retains CloudTrail logs for 90 days, allowing you to track down the user or role that initiated the cluster creation.
- Navigate to CloudTrail console, and select “Event History”
- From the “Lookup attributes” drop-down, choose “Event Name”, and enter “CreateCluster”.
- Identify the event which has created the cluster, and you’ll find the cluster creator ARN.
Scenario 2: Cluster Older Than 90 Days
If the cluster was created more than 90 days ago, CloudTrail logs are no longer be available. In this case, you can use a custom CloudWatch Logs Insights query to identify the creator, provided that the Authenticator control plane logging is enabled.
- Navigate to CloudWatch console, and select “Log Insights”.
- Choose the respective log group name from the drop down. The format of the log group name should be in “/aws/eks//cluster”.
- Choose the timeframe accordingly, and run the below log insights query.
fields @timestamp, @message
| filter @logStream like 'authenticator'
| filter @message like 'msg="mapping IAM user"' and @message like 'username=kubernetes-admin'
| parse @message /user="(?<creatorARN>.([^\s]+))"/
| display @timestamp, creatorARN
| sort @timestamp desc
| limit 50
That’s it. Thank you for taking the time to read this article! Keep up the great work, and happy deploying! 🚀 😊
Top comments (0)