Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[EKS] [request]: MapGroups in ConfigMap #150

Open
vitorgou opened this issue Feb 4, 2019 · 9 comments

Comments

Projects
None yet
@vitorgou
Copy link

commented Feb 4, 2019

Tell us about your request
In order to grant access to a group of users to an EKS cluster, I'd like to map a whole IAM group in the ConfigMap. Similar to "mapRoles" and "mapUsers", I'd like to use something like "mapGroups" and inform a group arn.

Which service(s) is this request for?
EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
In order to map a group of users to grant access to the EKS cluster, with current configMap specifications, the way to do it is to map each individual user by editing the configMap with "mapUsers".

Are you currently working around this issue?
The current workaround for this is to create a IAM policy that allows the group to assume a role that has access to the cluster and is mapped in the configMap. Then, assume the role before accessing the cluster with a command like: aws sts assume-role --role-arn arn:aws:iam::123456789:role/EKS-test-role --role-session-name

Additional context
Please let me know if this is a valid feature request. Maybe there's something here I'm missing, but I think it should be ok to map a IAM group arn to grant access to the EKS cluster.

@vitorgou vitorgou added the Proposed label Feb 4, 2019

@abby-fuller abby-fuller added the EKS label Feb 4, 2019

@mjrmyke

This comment has been minimized.

Copy link

commented Feb 6, 2019

+1

I was looking up documentation online for this same scenario, and happened to find this issue. Our engineers are put into groups for organizational purposes, it would be great to be able to leverage that organization in EKS.

@rtkgjacobs

This comment has been minimized.

Copy link

commented Feb 6, 2019

+1

@christopherhein

This comment has been minimized.

Copy link
Member

commented Feb 15, 2019

Cross linking the issue on the authenticator - kubernetes-sigs/aws-iam-authenticator#176

Thanks for filing this. Technically the difficulty with this is IAM groups don't support the get-caller-identity request with the AWS IAM Authenticator uses to validate users on the control plane. Would be good to explore other options to make this easier.

@avandijk42

This comment has been minimized.

Copy link

commented Feb 21, 2019

+1

This would be great way to organize our team's permissions.

@onkymykiss1

This comment has been minimized.

Copy link

commented Feb 22, 2019

+1

@wstewartii

This comment has been minimized.

Copy link

commented Mar 14, 2019

I'm currently using https://github.com/ygrene/iam-eks-user-mapper as a workaround to this problem. It would be great if we could get this feature implemented.

@omerh

This comment has been minimized.

Copy link

commented Apr 28, 2019

@wstewartii I was thinking to use this as well, but doesn't it kill the API call limit to aws?

@1juandiaz

This comment has been minimized.

Copy link

commented May 2, 2019

+1

@MKrupA5

This comment has been minimized.

Copy link

commented May 30, 2019

  1. Attach a policy to the Group that grants permission to call sts:AssumeRole on the desired Role:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "123",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::123456789:role/<assigned_Eks_role>"
]
}
]
}
2) Also, attach a Trust Policy on the Role. The sample policy (below) trusts any user in the account, but they would also need sts:AssumeRole permissions (above) to assume the role.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789:root"
},
"Action": "sts:AssumeRole"
}
]
}
3. Add the role arn to the configMap as below.

  • rolearn: arn:aws:iam::123456789:role/
    username: system:*
    groups:
    - system:masters
  1. Save the file and apply the configMap.
  2. Now test with another user which belongs to the group.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.