Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is it possible to use with AssumeRoleWithWebIdentity? #154

Closed
cromega opened this issue Oct 3, 2018 · 11 comments · May be fixed by #597
Closed

Is it possible to use with AssumeRoleWithWebIdentity? #154

cromega opened this issue Oct 3, 2018 · 11 comments · May be fixed by #597
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.

Comments

@cromega
Copy link

cromega commented Oct 3, 2018
edited

It's not an issue per se because I'm not even sure what I'm trying to do is possible.

I installed an EKS cluster but a requirement is setting up federated login with G-suite. I created a Role for federated access via the Google identity provider:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "accounts.google.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "accounts.google.com:aud": "FOO-BAR.apps.googleusercontent.com"
        }
      }
    }
  ]
}

The aws-auth-cm.yml applied on the cluster looks like this:

apiVersion: v1
kind: ConfigMap
metadata:
 name: aws-auth
 namespace: kube-system
data:
 mapRoles: |
   - rolearn: <ARN of the role above>
     username: kubernetes-admin
     groups:
       - system:masters

and my kubeconfig is as follows:

users:
- name: aws
 user:
   exec:
     apiVersion: client.authentication.k8s.io/v1alpha1
     command: aws-iam-authenticator
     args:
       - "token"
       - "-i"
       - "eks-test"
       - "-r"
       - "<ARN of the role above>"

If I execute aws-iam-authenticator directly with the same parameters I get

could not get  token: AccessDenied: Access denied

I'm not quite sure what I'm trying to do makes sense but let me explain what I expect the user experience to look like:

$ kubectl --kubeconfig ~/.kube/eks get svc
Log in  to your account following this URL and paste the authentication code in here:
https://accounts.google.com/o/auth2/auth?client_id=....
code: asddfsfq343j2kl2k4

Temporary access granted for 3600 seconds.

Is it possible to set up authentication like this? If not then I don't really understand how the authenticator is supposed to get a token through normal AssumeRole.

Please help!
@mattlandis
Copy link
Contributor

This is currently not supported. I don't see any problem with adding support for it though. Let's discuss implementation and user experience here.

As a work around you can remove the -r option from the kubeconfig, use the CLI to get credentials with aws sts assume-role-with-web-identity docs for the role and should be able to authenticate that way.

/kind feature

@k8s-ci-robot k8s-ci-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Oct 18, 2018
@micahhausler
Copy link
Member

There is a new credential provider being added to the SDKs to support AssumeRoleWithWebIdentity that should land later this year. Once that is ready, it should just be a matter of updating the Go SDK for this repo to support this: See aws/aws-sdk-go#2193

Getting an token from your OIDC provider in the first place will require some extra code though.

@cromega
Copy link
Author

cromega commented Oct 30, 2018

@micahhausler good news, thanks.

I already have some code to obtain an identity token from the auth provider but I'm struggling to find a sensible way of hooking it all up with the aws cli (ro run aws sts) and then to pass that session token to the aws-iam-authenticator.

@whereisaaron
Copy link

I'd love a solution for this too. We can't use dex with AWS EKS, so this path would be the next best thing. @micahhausler @xibz will that aws/aws-sdk-go#2193 patch land soon? That seems the cleanest way forward.

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 12, 2019
@nckturner
Copy link
Contributor

aws/aws-sdk-go#2193 looks like it might be landing soon. The simplest thing we can do is just update the SDK, then the user would need to ensure a token is placed in the location specified by $AWS_WEB_IDENTITY_TOKEN_FILE and the desired role to be assumed is specified by $AWS_IAM_ROLE_ARN.

@whereisaaron
Copy link

@cromega if aws/containers-roadmap#166 lands we'll be able to use OIDC directly without having to jump through all the IAM hoops. Plus you can get back to the more fine-grained security of user:user mapping, rather than all federated users being glommed onto one cluster username as happens now. Should eliminate one of the current big drawbacks of using EKS. 🎉

@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jul 13, 2019
@whereisaaron
Copy link

/lifecycle rotten

Still waiting for an OIDC or Web Identity authentication option.

@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@k8s-ci-robot
Copy link
Contributor

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@dkropachev dkropachev mentioned this issue May 12, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add web identify support dkropachev/aws-iam-authenticator
7 participants
@mattlandis @micahhausler @whereisaaron @nckturner @cromega @k8s-ci-robot @fejta-bot