-
Notifications
You must be signed in to change notification settings - Fork 423
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mapping AWS IAM Identity Center managed roles to K8s permissions #333
Comments
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
@nckturner (who seem to be the main repo contributor), do you have any insights on how this can be achieved in the current state? Otherwise, do you have some plans to support it? Thank you! |
I have separate dev/prod/etc accounts using AWS SSO. To achieve this I do something like this: export ADMIN_ROLE=$(awscli iam list-roles --query 'Roles[?starts_with(RoleName, `AWSReservedSSO_KubernetesAdmin`) == `true`].RoleName' --output text)
export READ_ONLY_ROLE=$(awscli iam list-roles --query 'Roles[?starts_with(RoleName, `AWSReservedSSO_KubernetesReadOnly`) == `true`].RoleName' --output text)
export ACCOUNT_ID=$(awscli sts get-caller-identity --query Account --output text)
envsubst < specs/configmap.tpl.yml > specs/configmap.yml Then the configmap:
To achieve it in the same account you'd just need to do some more shell work. |
This tackles initial provisioning, but since the name of AWS SSO managed roles is subject to change, this mapping can break at any point in time, doesn't it? |
Does it? Maybe if you re-provision, I should test that in my env. Could always add a cronjob on k8s to poll AWS and update the configmap. Obviously not ideal but easy fixes. |
@billinghamj I don't think this is a duplicate. This is related, but this is specifically about a strategy for using SSO roles (which have different names in different accounts, which means each account would have to have a duplicate entry in the configMap). Even if the paths-in-names bug were to be fixed, this would still be a separate question/issue (not quite a bug, just a non-ergonomic developer experience for those using SSO) |
We have just hit this issue as well with a new SSO implementation. This will be fine with the CLI as I have a separate role we will assume there (from the SSO based role we assume via Correct me if am wrong here but a heap of this problem would go away if this more closely followed what Hashicorp Vault does here in not naively matching strings in the ARNs and actually checking for a Unique Identifier, which in the case of assumed roles is the part before the colon in |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
I can confirm that RANDOM_SUFFIX in AWSReservedSSO_AdministratorAccess_RANDOM-SUFFIX can change. |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
Indeed, a required feature for SSO enabled access |
Might be solved when #416 is merged, since using |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
|
/retitle Mapping AWS IAM Identity Center managed roles to K8s permissions (AWS IAM Identity Center was previously known as AWS SSO) |
Thanks. I read your comment and went searching for where this suggestion came from... I found a couple of Github issues that mention this variable and a single reference in this doc: https://aws.github.io/aws-eks-best-practices/security/docs/iam/. I guess I will have to read all of this as well to ensure I have not missed any undocumented options that have yet to make it into the official documentation. This to me still feels like a hack (although it looks effective for AWS SSO, for now). I could be wrong, but the session name being set to the username from the IdP regardless of the |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
What's the status of this since #416 was merged? That's still marked as "alpha." |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
Hey! We have our EKS clusters spread across multiple AWS accounts and those random suffixes in AWS SSO roles are really painful for us. To overcome this, i have implemented https://github.com/justinas-b/aws-iam-authenticator-sso-wrapper utility until permissionSet names or wildcards will be supported natively. If anyone would like to test and provide a feedback, i would really appreciate it. This tool basically monitors
It translates that configMap to regular format and updates
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
Hello,
I'm using AWS SSO to manage roles and permissions in several AWS accounts. Consequently, my roles are autoprovisioned in each AWS account by AWS SSO and their names look like AWSReservedSSO_SomeRole_e11aa594f712e1dc.
What would be the best way to manage this with aws-iam-authenticator? The current solution seems to force to specify the full role name, so the configuration looks like:
The issue is that the name of the role changes in each AWS account, so it makes things quite hard for automation. Do you have any guideline to suggest in this context?
AWS SSO is becoming more and more prevalent so I expect it should be a quite widely encountered issue
Thank you!
The text was updated successfully, but these errors were encountered: