fix(eks): invalid arn when mapping users to rbac (#4549)

Elad Ben-Israel · web-flow · commit 8f4a38d5b262 · 2019-10-17T11:07:50.000+03:00
The ARN of IAM users was rendered with a region, but IAM resources are global. This means that IAM users could not be mapped to Kubernetes RBAC. This fix adds a `user.userArn` attribute which correctly renders the user's ARN and then uses this in the EKS library. This fixes #4545
diff --git a/packages/@aws-cdk/aws-eks/lib/aws-auth.ts b/packages/@aws-cdk/aws-eks/lib/aws-auth.ts
@@ -104,7 +104,7 @@ export class AwsAuth extends Construct {
   private synthesizeMapUsers() {
     return Lazy.anyValue({
       produce: () => this.stack.toJsonString(this.userMappings.map(m => ({
-        userarn: this.stack.formatArn({ service: 'iam', resource: 'user', resourceName: m.user.userName }),
+        userarn: m.user.userArn,
         username: m.mapping.username,
         groups: m.mapping.groups
       })))
diff --git a/packages/@aws-cdk/aws-eks/test/test.awsauth.ts b/packages/@aws-cdk/aws-eks/test/test.awsauth.ts
@@ -36,10 +36,10 @@ export = {
     const user = new iam.User(stack, 'user');
 
     // WHEN
-    cluster.awsAuth.addRoleMapping(role, { groups: [ 'role-group1' ], username: 'roleuser' });
-    cluster.awsAuth.addRoleMapping(role, { groups: [ 'role-group2', 'role-group3' ] });
-    cluster.awsAuth.addUserMapping(user, { groups: [ 'user-group1', 'user-group2' ] });
-    cluster.awsAuth.addUserMapping(user, { groups: [ 'user-group1', 'user-group2' ], username: 'foo' });
+    cluster.awsAuth.addRoleMapping(role, { groups: ['role-group1'], username: 'roleuser' });
+    cluster.awsAuth.addRoleMapping(role, { groups: ['role-group2', 'role-group3'] });
+    cluster.awsAuth.addUserMapping(user, { groups: ['user-group1', 'user-group2'] });
+    cluster.awsAuth.addUserMapping(user, { groups: ['user-group1', 'user-group2'], username: 'foo' });
     cluster.awsAuth.addAccount('112233');
     cluster.awsAuth.addAccount('5566776655');
 
@@ -71,31 +71,62 @@ export = {
                 "Arn"
               ]
             },
-            "\\\",\\\"groups\\\":[\\\"role-group2\\\",\\\"role-group3\\\"]}]\",\"mapUsers\":\"[{\\\"userarn\\\":\\\"arn:",
+            "\\\",\\\"groups\\\":[\\\"role-group2\\\",\\\"role-group3\\\"]}]\",\"mapUsers\":\"[{\\\"userarn\\\":\\\"",
             {
-              Ref: "AWS::Partition"
+              "Fn::GetAtt": [
+                "user2C2B57AE",
+                "Arn"
+              ]
             },
-            ":iam:us-east-1:",
+            "\\\",\\\"groups\\\":[\\\"user-group1\\\",\\\"user-group2\\\"]},{\\\"userarn\\\":\\\"",
             {
-              Ref: "AWS::AccountId"
+              "Fn::GetAtt": [
+                "user2C2B57AE",
+                "Arn"
+              ]
             },
-            ":user/",
+            "\\\",\\\"username\\\":\\\"foo\\\",\\\"groups\\\":[\\\"user-group1\\\",\\\"user-group2\\\"]}]\",\"mapAccounts\":\"[\\\"112233\\\",\\\"5566776655\\\"]\"}}]"
+          ]
+        ]
+      }
+    }));
+
+    test.done();
+  },
+
+  'imported users and roles can be also be used'(test: Test) {
+    // GIVEN
+    const { stack } = testFixtureNoVpc();
+    const cluster = new Cluster(stack, 'Cluster');
+    const role = iam.Role.fromRoleArn(stack, 'imported-role', 'arn:aws:iam::123456789012:role/S3Access');
+    const user = iam.User.fromUserName(stack, 'import-user', 'MyUserName');
+
+    // WHEN
+    cluster.awsAuth.addRoleMapping(role, { groups: ['group1'] });
+    cluster.awsAuth.addUserMapping(user, { groups: ['group2'] });
+
+    // THEN
+    expect(stack).to(haveResource(KubernetesResource.RESOURCE_TYPE, {
+      Manifest: {
+        "Fn::Join": [
+          "",
+          [
+            "[{\"apiVersion\":\"v1\",\"kind\":\"ConfigMap\",\"metadata\":{\"name\":\"aws-auth\",\"namespace\":\"kube-system\"},\"data\":{\"mapRoles\":\"[{\\\"rolearn\\\":\\\"",
             {
-              Ref: "user2C2B57AE"
+              "Fn::GetAtt": [
+                "ClusterDefaultCapacityInstanceRole3E209969",
+                "Arn"
+              ]
             },
-            "\\\",\\\"groups\\\":[\\\"user-group1\\\",\\\"user-group2\\\"]},{\\\"userarn\\\":\\\"arn:",
+            "\\\",\\\"username\\\":\\\"system:node:{{EC2PrivateDNSName}}\\\",\\\"groups\\\":[\\\"system:bootstrappers\\\",\\\"system:nodes\\\"]},{\\\"rolearn\\\":\\\"arn:aws:iam::123456789012:role/S3Access\\\",\\\"groups\\\":[\\\"group1\\\"]}]\",\"mapUsers\":\"[{\\\"userarn\\\":\\\"arn:",
             {
               Ref: "AWS::Partition"
             },
-            ":iam:us-east-1:",
+            ":iam::",
             {
               Ref: "AWS::AccountId"
             },
-            ":user/",
-            {
-              Ref: "user2C2B57AE"
-            },
-            "\\\",\\\"username\\\":\\\"foo\\\",\\\"groups\\\":[\\\"user-group1\\\",\\\"user-group2\\\"]}]\",\"mapAccounts\":\"[\\\"112233\\\",\\\"5566776655\\\"]\"}}]"
+            ":user/MyUserName\\\",\\\"groups\\\":[\\\"group2\\\"]}]\",\"mapAccounts\":\"[]\"}}]"
           ]
         ]
       }
diff --git a/packages/@aws-cdk/aws-iam/lib/user.ts b/packages/@aws-cdk/aws-iam/lib/user.ts
@@ -16,6 +16,12 @@ export interface IUser extends IIdentity {
    */
   readonly userName: string;
 
+  /**
+   * The user's ARN
+   * @attribute
+   */
+  readonly userArn: string;
+
   /**
    * Adds this user to a group.
    */
@@ -78,7 +84,7 @@ export interface UserProps {
    * acknowledge your template's capabilities. For more information, see
    * Acknowledging IAM Resources in AWS CloudFormation Templates.
    *
-   * @default Generated by CloudFormation (recommended)
+   * @default - Generated by CloudFormation (recommended)
    */
   readonly userName?: string;
 
@@ -90,7 +96,7 @@ export interface UserProps {
    * use `secretsmanager.Secret.fromSecretAttributes` to reference a secret in
    * Secrets Manager.
    *
-   * @default User won't be able to access the management console without a password.
+   * @default - User won't be able to access the management console without a password.
    */
   readonly password?: SecretValue;
 
@@ -123,6 +129,7 @@ export class User extends Resource implements IIdentity, IUser {
     class Import extends Resource implements IUser {
       public readonly grantPrincipal: IPrincipal = this;
       public readonly userName: string = userName;
+      public readonly userArn: string = arn;
       public readonly assumeRoleAction: string = 'sts:AssumeRole';
       public readonly policyFragment: PrincipalPolicyFragment = new ArnPrincipal(arn).policyFragment;
       private defaultPolicy?: Policy;
diff --git a/packages/@aws-cdk/aws-iam/test/user.test.ts b/packages/@aws-cdk/aws-iam/test/user.test.ts
@@ -19,10 +19,16 @@ describe('IAM user', () => {
       password: SecretValue.plainText('1234')
     });
 
-    expect(stack).toMatchTemplate({ Resources:
-      { MyUserDC45028B:
-         { Type: 'AWS::IAM::User',
-         Properties: { LoginProfile: { Password: '1234' } } } } });
+    expect(stack).toMatchTemplate({
+      Resources:
+      {
+        MyUserDC45028B:
+        {
+          Type: 'AWS::IAM::User',
+          Properties: { LoginProfile: { Password: '1234' } }
+        }
+      }
+    });
   });
 
   test('fails if reset password is required but no password is set', () => {
@@ -44,7 +50,7 @@ describe('IAM user', () => {
     // THEN
     expect(stack).toHaveResource('AWS::IAM::User', {
       ManagedPolicyArns: [
-        { "Fn::Join": [ "", [ "arn:", { Ref: "AWS::Partition" }, ":iam::aws:policy/asdf" ] ] }
+        { "Fn::Join": ["", ["arn:", { Ref: "AWS::Partition" }, ":iam::aws:policy/asdf"]] }
       ]
     });
   });
@@ -74,4 +80,17 @@ describe('IAM user', () => {
       }
     });
   });
+
+  test('imported user has an ARN', () => {
+    // GIVEN
+    const stack = new Stack();
+
+    // WHEN
+    const user = User.fromUserName(stack, 'import', 'MyUserName');
+
+    // THEN
+    expect(stack.resolve(user.userArn)).toStrictEqual({
+      "Fn::Join": ["", ["arn:", { Ref: "AWS::Partition" }, ":iam::", { Ref: "AWS::AccountId" }, ":user/MyUserName"]]
+    });
+  });
 });
