いつもわからなくなるのでメモ。

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::XXXXXXXXXX:role/eksctl-ekshandson-nodegroup-ng-27-NodeInstanceRole-4U12PRS80UJH
      username: system:node:{{EC2PrivateDNSName}}
    - rolearn: arn:aws:iam::XXXXXXXXXX:role/Admin
      username: Admin:{{SessionName}}
      groups:
      - system:masters
  mapUsers: |
    - userarn: arn:aws:iam::XXXXXXXXXX:user/sotosugi
      username: sotosugi
      groups:
      - system:masters

eksctlでIAMロールを追加する場合は以下のようにする。

CLUSTER_NAME="hogehoge"
USER_NAME="Admin:{{SessionName}}"
AWS_ACCOUNT_ID=$(aws sts get-caller-identity --output text --query Account)
ROLE_ARN="arn:aws:iam::${AWS_ACCOUNT_ID}:role/Admin"
eksctl create iamidentitymapping --cluster ${CLUSTER_NAME} --arn ${ROLE_ARN} --username ${USER_NAME} --group system:masters