When you first create an Amazon EKS cluster on AWS, the IAM entity user or role that creates the cluster, is the only identity authorized to authenticate to it and manage the aws-auth ConfigMap, it's automatically granted system:masters permissions in the cluster's RBAC configuration for the cluster creator as you hve mentioned [1].

To identify who is the cluster creator, you can user the CloudTrail console on "Event History" you can filter by "Event name" and select "CreateCluster", it will list the event used to create the cluster, there you will be able to see the identity (user or role) that was used to create the cluster.

In order to be able to authenticate, first you need to install the aws-iam-authenticator [2], then assume the cluster creator identity on your AWS-CLI, by default the AWS IAM Authenticator for Kubernetes will use the same credentials that are returned with the following command:

aws sts get-caller-identity Lastly you need to create a kubeconfig file with the command below to be able to "kubectl get nodes" [3]:

aws eks --region region-code update-kubeconfig --name cluster_name You can find more information about the authentication process on AWS EKS at the "Managing cluster authentication" documentation [4].

If you need to grant access to new users other than the cluster creator, you must add the role/user via ConfigMap logged in with an identity already authorized on the aws-auth ConfigMap [5].

[1]https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html [2]https://docs.aws.amazon.com/eks/latest/userguide/install-aws-iam-authenticator.html [3]https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html [4]https://docs.aws.amazon.com/eks/latest/userguide/managing-auth.html [5]https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html