AWS Instance Profile Role Removed from aws-auth Breaks Node Registration

critical

securityUpdated Feb 23, 2026

When all EKS-managed node groups using a shared instance profile are deleted, AWS removes the instance profile role from aws-auth ConfigMap, breaking Cast AI-managed nodes that rely on the same role for kubelet authentication to the API server.

Sources

Cloud provider troubleshooting - Getting started - Cast AIdocs.cast.ai

Technologies:

Cast.aiSymptoms of this issue are visible in Cast.ai metrics and logs

Azure AKSAzure AKS metrics correlate with this issue and help confirm diagnosis

KubernetesSymptoms of this issue are visible in Kubernetes metrics and logs

kubernetes.nodes.status.not_ready.count

kubernetes.kubelet.authentication.failures.total

How to detect:

Monitor node health status transitions to NotReady. Track kubelet authentication errors in node logs (unauthorized errors accessing api-server). Watch for EKS managed node group deletion events. Monitor aws-auth ConfigMap changes for removed roles.

Recommended action:

For ConfigMap access mode: re-add the instance profile role to aws-auth ConfigMap with system:bootstrappers and system:nodes groups. For EKS API + ConfigMap mode: add entry to either EKS access entry list or aws-auth ConfigMap. Avoid sharing instance profiles between Cast AI nodes and EKS-managed node groups.