Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Authentication mode EKS API accepts yet ignores arn:aws:iam::111122223333:root #797

Open
neoakris opened this issue Dec 21, 2024 · 0 comments
Open

[Bug]: Authentication mode EKS API accepts yet ignores arn:aws:iam::111122223333:root #797

neoakris opened this issue Dec 21, 2024 · 0 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@neoakris
Copy link

What happened?

In the EKS Web GUI's Access Tab, with Access configuration set to
Authentication mode = EKS API and ConfigMap

I can add an IAM access entry of arn:aws:iam::111122223333:root and it'll be accepted as valid input, but ignored in practice.

What you expected to happen?

According to the AWS IAM Docs: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-accounts
"Principal": { "AWS": "arn:aws:iam::111122223333:root" }
is equal to "Principal": { "AWS": "111122223333" }
(To translate into Plain-English, in this context root != root user, but the root(as in base) of the account, so it effectively means all identities in the account.)

Why it's significant:
EKS's aws-auth configmap allowed IAM users, IAM roles, and AWS accounts (as in all IAM identities in the AWS account).
EKS's Authentication mode of "EKS API" GUI & docs say it only allows IAM users & IAM roles.
At first glance it looks like "EKS API" mode doesn't support AWS accounts

And if you try to use
"Principal": { "AWS": "111122223333" } in the EKS Web GUI's Access Tab, it'll fail input validation.
But the following (which IAM docs say is equivalent) will pass input validation:
"Principal": { "AWS": "arn:aws:iam::111122223333:root" }

Since EKS API is supposed to be a replacement of the deprecated aws-auth configmap AND the value passed input validation, it's reasonable for a user to think that the "EKS API" also supports all IAM identities in the AWS account under the assumption that it's a poorly documented feature.

Anything else we need to know?

I'm running EKS proper, it's my understanding that this open source code runs on EKS's managed masters.

Installation tooling

other (please specify in description)

AWS IAM Authenticator server Version

NA

Client information

- OS/arch: Mac (ARM) 
- kubernetes client & version: 1.30  
  Client Version: v1.31.0  
  Kustomize Version: v5.4.2  
  Server Version: v1.30.7-eks-56e63d8
- authenticator client & version:

Kubernetes API Version

1.30

aws-iam-authenticator YAML manifest

No response

kube-apiserver YAML manifest

No response

aws-iam-authenticator logs

No response
@neoakris neoakris added kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Dec 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@neoakris