Home / AWS / Fix AWS EKS Node Not Joining Cluster

AWS

Fix AWS EKS Node Not Joining Cluster

Resolve EKS node joining failures by fixing aws-auth ConfigMap, IAM roles, security groups, and networking configuration.

Published: Apr 1, 20267 min readBy FixWikiHub Editorial Team

Abstract illustration for a troubleshooting knowledge base category.

Introduction

EKS worker nodes need to authenticate with the cluster and register themselves. When a node fails to join, it shows as "NotReady" or doesn't appear in kubectl get nodes. The node's kubelet can't communicate with the EKS control plane.

Symptoms

Node not appearing:

```bash $ kubectl get nodes

NAME STATUS ROLES AGE VERSION # Empty or missing new node ```

Node status NotReady:

```bash $ kubectl get nodes

NAME STATUS ROLES AGE VERSION ip-10-0-1-100.ec2.internal NotReady <none> 5m v1.28.0 ```

kubelet logs on node:

```bash $ journalctl -u kubelet -f

E0115 10:00:00.000000 kubelet.go:1234] Unable to register node "ip-10-0-1-100.ec2.internal" with API server: Unauthorized ```

EC2 instance console:

```bash $ aws ec2 get-console-output --instance-id i-abc123 --output text | grep -i eks

"Failed to register with cluster: Unauthorized" ```

Common Causes

1.aws-auth ConfigMap misconfigured - Node's IAM role not mapped
2.Wrong IAM role - Node using different role than configured
3.Security group blocking - Node can't reach control plane
4.VPC/subnet misconfiguration - Node in wrong network
5.Cluster endpoint access - Private endpoint issues
6.kubelet version mismatch - Incompatible Kubernetes version
7.Node instance profile missing - No IAM profile attached

Step-by-Step Fix

1.Check logs for specific error messages
2.Verify configuration settings
3.Test network connectivity
4.Review recent changes
5.Apply corrective action
6.Verify the fix

Step 1: Check Node IAM Role

```bash # Get instance IAM role aws ec2 describe-instances --instance-ids i-abc123 \ --query 'Reservations[*].Instances[*].IamInstanceProfile.Arn'

# Get the role name from the profile aws iam get-instance-profile --instance-profile-name NODE_PROFILE_NAME \ --query 'InstanceProfile.Roles[*].RoleName'

# Expected format: eks-node-role or similar ```

Step 2: Verify aws-auth ConfigMap

```bash # Get current aws-auth config kubectl get configmap aws-auth -n kube-system -o yaml

# Should contain mapRoles section: # mapRoles: # - rolearn: arn:aws:iam::ACCOUNT:role/eks-node-role # username: system:node:{{EC2PrivateDNSName}} # groups: # - system:bootstrappers # - system:nodes ```

Add missing role mapping:

```bash # Edit the configmap kubectl edit configmap aws-auth -n kube-system

# Add or verify the node role mapping: apiVersion: v1 kind: ConfigMap metadata: name: aws-auth namespace: kube-system data: mapRoles: | - rolearn: arn:aws:iam::ACCOUNT:role/eks-node-role username: system:node:{{EC2PrivateDNSName}} groups: - system:bootstrappers - system:nodes ```

Or apply via kubectl:

bash

kubectl apply -f - <<EOF
apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - rolearn: arn:aws:iam::ACCOUNT:role/eks-node-role
      username: system:node:{{EC2PrivateDNSName}}
      groups:
      - system:bootstrappers
      - system:nodes
EOF

Step 3: Check Node Security Group

```bash # Get node's security groups aws ec2 describe-instances --instance-ids i-abc123 \ --query 'Reservations[*].Instances[*].SecurityGroups[*].GroupId'

# Get cluster security group aws eks describe-cluster --name my-cluster \ --query 'cluster.resourcesVpcConfig.clusterSecurityGroupId'

# Node security group must allow: # - Outbound 443 to control plane (or 0.0.0.0/0) # - Inbound from control plane for webhook callbacks ```

Add required rules:

```bash # Allow node to communicate with control plane aws ec2 authorize-security-group-egress \ --group-id sg-node \ --protocol tcp \ --port 443 \ --cidr 0.0.0.0/0

# For private clusters, allow control plane security group aws ec2 authorize-security-group-ingress \ --group-id sg-node \ --protocol tcp \ --port 10250 \ --source-group sg-cluster-control-plane ```

Step 4: Verify Cluster Endpoint Access

```bash # Check cluster endpoint configuration aws eks describe-cluster --name my-cluster \ --query 'cluster.resourcesVpcConfig.{Public:publicAccessCidrs,Private:endpointPrivateAccess,PublicEnabled:endpointPublicAccess}'

# If private endpoint only, node must be in VPC # If public endpoint, node must have internet access ```

For private-only endpoints:

```bash # Ensure node is in correct VPC aws ec2 describe-instances --instance-ids i-abc123 \ --query 'Reservations[*].Instances[*].[VpcId,SubnetId]'

# Compare with cluster VPC aws eks describe-cluster --name my-cluster \ --query 'cluster.resourcesVpcConfig.vpcId' ```

Step 5: Check kubelet Logs on Node

```bash # SSH into the node (via SSM or bastion) aws ssm start-session --target i-abc123

# Check kubelet status sudo systemctl status kubelet

# View kubelet logs sudo journalctl -u kubelet -f --no-pager

# Common errors: # "Unauthorized" -> aws-auth issue # "Connection refused" -> network/endpoint issue # "TLS handshake timeout" -> security group issue ```

Step 6: Verify Node's Bootstrap Script

```bash # Check user data on node aws ec2 describe-instance-attribute --instance-id i-abc123 --attribute userData \ --query 'UserData.Value' --output text | base64 -d

# Should contain EKS bootstrap script with cluster name: #!/bin/bash /etc/eks/bootstrap.sh my-cluster \ --b64-cluster-ca BASE64_CA \ --apiserver-endpoint https://CLUSTER_ENDPOINT ```

For managed node groups, this is automatic. For self-managed, verify bootstrap arguments.

Step 7: Check Kubernetes Version Compatibility

```bash # Get cluster version aws eks describe-cluster --name my-cluster \ --query 'cluster.version'

# Get kubelet version on node kubectl version --short # Or on node: kubelet --version

# Kubernetes version skew policy: # - kubelet can be same version as control plane # - kubelet can be 1 minor version behind # - kubelet cannot be ahead of control plane ```

Step 8: Verify Node Instance Profile

```bash # Check if instance has IAM profile aws ec2 describe-instances --instance-ids i-abc123 \ --query 'Reservations[*].Instances[*].IamInstanceProfile'

# If null, attach profile: aws ec2 associate-iam-instance-profile \ --instance-id i-abc123 \ --iam-instance-profile Name=eks-node-profile

# Node role needs: # - AmazonEKSWorkerNodePolicy # - AmazonEC2ContainerRegistryReadOnly # - AmazonEKS_CNI_Policy ```

Step 9: Test Connectivity to Control Plane

```bash # From the node, test API server connectivity curl -k https://CLUSTER_ENDPOINT/healthz

# Should return "ok"

# Test DNS resolution nslookup CLUSTER_ENDPOINT

# Check if node can reach cluster aws ssm start-session --target i-abc123 curl -v https://CLUSTER_ENDPOINT ```

Step 10: Reboot or Recreate Node

```bash # If all configuration correct, reboot node aws ec2 reboot-instances --instance-ids i-abc123

# Or terminate and let ASG recreate aws ec2 terminate-instances --instance-ids i-abc123

# For managed node groups, update to trigger rollout: aws eks update-nodegroup-version \ --cluster-name my-cluster \ --nodegroup-name my-nodegroup ```

Common aws-auth Errors

Symptom	Cause	Fix
Unauthorized	Role not in aws-auth	Add mapRoles entry
Forbidden	Wrong groups	Add system:nodes group
Cannot connect	Network issue	Check security groups
Certificate error	Wrong cluster CA	Verify bootstrap data

Verification

```bash # Check node status kubectl get nodes

# Should show Ready status NAME STATUS ROLES AGE VERSION ip-10-0-1-100.ec2.internal Ready <none> 1m v1.28.0

# Check node details kubectl describe node ip-10-0-1-100.ec2.internal

# Conditions should show Ready: True ```

[Fix AWS EKS Cluster Autoscaler Not Scaling](/articles/fix-aws-eks-cluster-autoscaler-not-scaling)
[Fix AWS EKS Pod Networking Failed](/articles/fix-aws-eks-pod-networking-failed)
[Fix AWS EKS IAM Role for Service Account](/articles/fix-aws-eks-iam-role-for-service-account)

[AWS troubleshooting: Fix IAM Permission Denied - Complete Tro](fix-iam-permission-denied)
[AWS cloud troubleshooting: AWS ACM Certificate Pending Validation Because the](aws-acm-certificate-pending-validation-wrong-route53-zone)
[AWS cloud troubleshooting: AWS ALB Returns 502 Because the Target Closed the ](aws-alb-502-target-closed-connection-keepalive-timeout-mismatch)
[AWS cloud troubleshooting: Fix AWS ALB CreateListener TargetGroupNotFound Err](aws-alb-createlistener-targetgroupnotfound)
[AWS cloud troubleshooting: Fix Aws Alb Lambda 502 Bad Gateway Issue in AWS](aws-alb-lambda-502-bad-gateway)

Was this guide helpful?

Related search paths

People also search for

If the symptom is close but not identical, these search paths usually surface the right neighboring fixes faster than scrolling the full archive.

AWS EKS Node Not Joining Cluster AWS EKS Node Not Joining Cluster AWS AWS EKS Node Not Joining Cluster troubleshooting AWS EKS Node Not Joining Cluster fix Resolve EKS node joining failures by fixing aws-auth ConfigMap, IAM roles, security groups, and networking configuration AWS Resolve EKS node joining failures by fixing aws-auth ConfigMap, IAM roles, security groups, and networking configuration

Explore Related Topics

Browse Guides from Other Categories

Discover troubleshooting guides from related categories to expand your knowledge.

FAQ

AWS Troubleshooting FAQs

Common questions about troubleshooting and preventing similar issues

How do I know if this aws-errors troubleshooting guide applies to my situation?

This guide is designed for aws-errors issues. If you're experiencing similar symptoms described in the article, follow the step-by-step instructions. Start with the most common causes and work through the diagnostic process.

Is it safe to follow these aws-errors troubleshooting steps?

Yes, all steps are designed to be safe and non-destructive. We recommend creating backups before making significant changes and testing each step before proceeding to the next.

How long does it typically take to resolve this type of aws-errors issue?

Most aws-errors issues can be resolved within 30 minutes to 2 hours, depending on the complexity and root cause. Follow the troubleshooting flow to identify and fix the problem efficiently.

How can I prevent this aws-errors issue from happening again?

Regular maintenance, monitoring, and following best practices for aws-errors configuration can help prevent recurrence. Consider implementing automated checks and alerts for early detection.

Written by

FixWikiHub Editorial Team

Our editorial team consists of experienced DevOps engineers, systems administrators, and cloud architects with hands-on experience in production environments across AWS, Azure, GCP, and on-premises infrastructure.

Every guide undergoes technical review for accuracy and is updated when software versions, commands, or best practices change.

Last updated: Apr 1, 2026

About our team

Important Notice

Disclaimer & Safety Guidelines

The troubleshooting steps in this guide are provided for educational and informational purposes. Before applying any changes to production systems:

Test in a staging environment first — Always verify commands and configurations in a non-production environment before deploying to live systems.
Create backups — Ensure you have current backups of databases, configurations, and critical files before making changes.
Understand the impact — Review how each step may affect your specific environment, dependencies, and users.
Consult official documentation — This guide supplements, but does not replace, official vendor documentation and best practices.

FixWikiHub is not responsible for any damages arising from the use of this content. See our Terms of Use for more information.

Resources

Official Documentation & Further Reading

For authoritative information, consult the official documentation for the technologies discussed in this guide. Our troubleshooting content supplements, but does not replace, vendor documentation.

AWS Documentation — Official Amazon Web Services guides and API references
Kubernetes Documentation — Official Kubernetes documentation
Nginx Documentation — Official Nginx web server documentation
Apache Documentation — Official Apache HTTP Server documentation
Docker Documentation — Official Docker container documentation

Fix AWS EKS Node Not Joining Cluster

Introduction

Symptoms

Common Causes

Step-by-Step Fix

Step 1: Check Node IAM Role

Step 2: Verify aws-auth ConfigMap

Step 3: Check Node Security Group

Step 4: Verify Cluster Endpoint Access

Step 5: Check kubelet Logs on Node

Step 6: Verify Node's Bootstrap Script

Step 7: Check Kubernetes Version Compatibility

Step 8: Verify Node Instance Profile

Step 9: Test Connectivity to Control Plane

Step 10: Reboot or Recreate Node

Common aws-auth Errors

Verification

People also search for

Browse Guides from Other Categories

WordPress

SSL

DNS

AWS Troubleshooting FAQs

FixWikiHub Editorial Team

Disclaimer & Safety Guidelines

Official Documentation & Further Reading

Fix AWS EKS Node Not Joining Cluster

Introduction

Symptoms

Common Causes

Step-by-Step Fix

Step 1: Check Node IAM Role

Step 2: Verify aws-auth ConfigMap

Step 3: Check Node Security Group

Step 4: Verify Cluster Endpoint Access

Step 5: Check kubelet Logs on Node

Step 6: Verify Node's Bootstrap Script

Step 7: Check Kubernetes Version Compatibility

Step 8: Verify Node Instance Profile

Step 9: Test Connectivity to Control Plane

Step 10: Reboot or Recreate Node

Common aws-auth Errors

Verification

Related Issues

Related Articles

People also search for

Share this guide

More AWS Troubleshooting Guides

Browse Guides from Other Categories

AWS Troubleshooting FAQs

FixWikiHub Editorial Team

Disclaimer & Safety Guidelines

Official Documentation & Further Reading