Find the creator of an EKS Cluster
How to find the creator an EKS Cluster. In this post, I'll show you how to find the AWS IAM principal who created an EKS Cluster in one minute.
The Elastic Kubernetes Service (Amazon EKS) dashboard does not display the details of the creator of an EKS cluster. However, you can find this information by either querying the CloudTrail logs or (if the authenticator logs were enabled in the cluster) CloudWatch logs.
Option 1: Query CloudTrail logs
AWS CloudTrail is a service that provides a record of actions taken by a user, role, or an AWS service in the AWS account.
CloudTrail captures all API calls for Amazon EKS as events, including calls to the CreateCluster API operation. Here are the steps to find out who created an EKS cluster using CloudTrail logs:
- Open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.
- In the navigation pane, click Event history.
- In the Filter box, type CreateCluster.
- In the Time range box, specify the time range when you believe the cluster was created.
- Click Lookup.
The results will show all CreateCluster events within the specified time range. Click on an event to view more details, including the identity of the user or role that made the request in the userIdentity field.
Note: If you have (or had) multiple EKS clusters in you AWS account, you'll need to filter accordingly.
This option is only valid if you configured a CloudTrail Trail before the cluster creation or if the cluster was created in the past 90 days (CloudTrail with no Trails saves logs for 90 days).
Option 2: Query CloudWatch logs using Logs Insights
CloudWatch does not directly track the creation of EKS clusters. However, if you have set up CloudWatch logging for your EKS clusters, you can infer the creation of a cluster by looking for the first logs from that cluster. Here are the steps to do this using CloudWatch Logs Insights:
- Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.
- In the navigation pane, choose Logs, and then select Logs Insights.
- Choose the time range when you believe the cluster was created.
- In the Select log group(s) drop-down list, choose the log group for your EKS cluster. The name of this log group will typically include the name of the cluster.
- In the query editor, paste the following query to identify the cluster creator ARN and choose Run to view the results:
fields @timestamp, @message
| filter @logStream like /authenticator/
| sort @timestamp desc
| limit 1000
Look for the ARN value in the message field of the results:
| Field | Value |
|---|---|
| @ingestionTime | 1700838812233 |
| @log | 05XXXXXXXX22:/aws/eks/ekstestsso/cluster |
| @logStream | authenticator-3e9089af344366ba11b4e9a8abde8cd1 |
| @message | time="2023-11-24T15:13:26Z" level=info msg="access granted" arn="arn:aws:iam::05XXXXXXXX22:user/jcarrera" client="127.0.0.1:45204" groups="[system:masters]" method=POST path=/authenticate uid="aws-iam-authenticator:05XXXXXXXX22:AIDAQXXXXXXXXXXXXXSBS" username=kubernetes-admin |
| @timestamp | 1700838811215 |
Please note that this method does not directly tell you who created the cluster. To find out who created the cluster, you would still need to use CloudTrail as described above.
You could also find the same data by analyzing the CloudWatch logs without using Logs Insights, but the process would take more effort.
For more information, you can refer to the following documentation:
Logging Amazon EKS API calls with AWS CloudTrail