Although clusterctl init
embeds a set of AWS credentials into the configuration of the Cluster API Provider for AWS (CAPA) when initializing the management cluster, it may be necessary after deployment to change or update those AWS credentials.
CAPA stores the credentials it uses as a Kubernetes Secret in the "capa-system" namespace. You can use kubectl -n capa-system get secrets
and you'll see the "capa-manager-bootstrap-credentials" Secret. The credentials themselves are stored as a key named credentials
; you can use this command to retrieve the credentials and decode them (if you're using macOS, change the -d
to -D
):
kubectl -n capa-system get secret capa-manager-bootstrap-credentials \
-o jsonpath="{.data.credentials}" | base64 -d
The command will return something like this (but with valid access key ID, secret access key, and region values, obviously):
[default]
aws_access_key_id = <access-key-id-value-here>
aws_secret_access_key = <secret-access-key-value-here>
region = <aws-region-here>
There are two ways to change the AWS credentials used by CAPA:
- As part of upgrading Cluster API components using
clusterctl upgrade
- Manually
When upgrading the Cluster API components using clusterctl upgrade
in a management cluster that has CAPA installed, clusterctl
requires that the variable "AWS_B64ENCODED_CREDENTIALS" is defined with a value. This value is used by clusterctl
to update the Kubernetes Secret described above. Thus, if the management cluster needs to be upgraded, users can change/update the AWS credentials used by CAPA as part of the upgrade process.
The process would look like this:
- Use
clusterawsadm
to define the "AWS_B64ENCODED_CREDENTIALS" variable. Withclusterawsadm
0.5.4 and earlier, the command isclusterawsadm alpha bootstrap encode-aws-credentials
; with version 0.5.5 or later, the command isclusterawsadm bootstrap credentials encode-as-profile
. Assign the output of this command to the "AWS_B64ENCODED_CREDENTIALS" variable. Users should ensure thatclusterawsadm
picks up the new or updated credentials when running this command. - Use
clusterctl
to upgrade the management cluster, first by runningclusterctl upgrade plan
and then by runningclusterctl upgrade apply
(using the command provided in the output ofclusterctl upgrade plan
). As part of the upgrade process, the credentials stored in the "AWS_B64ENCODED_CREDENTIALS" variable will be placed into the Kubernetes Secret used by CAPA.
If the management cluster does not need to be upgraded or can't be upgraded at the current time, then users will need to manually change the credentials.
To manually change the credentials used by CAPA, follow these steps:
- Use
clusterawsadm
to create the material needed for the Kubernetes Secret. Withclusterawsadm
0.5.5 and earlier, the command isclusterawsadm alpha bootstrap encode-aws-credentials
; with version 0.6.0 or later, the command isclusterawsadm bootstrap credentials encode-as-profile
. Record the output of this command, as it is needed in a later step. - Use
kubectl -n capa-system edit secret capa-manager-bootstrap-credentials
to edit the Secret. Replace the existing value of thedata.credentials
field with the new value created in step 1 usingclusterawsadm
. Save your changes. - For the CAPA controller manager to pick up the new credentials in the Secret, restart it with
kubectl -n capa-system rollout restart deployment capa-controller-manager
.
Upon restart, CAPA will now use the updated credentials in the Secret to communicate with AWS.