Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can I not add an IAM group to my ConfigMap? #176

Open
mrichman opened this issue Nov 21, 2018 · 3 comments

Comments

Projects
None yet
5 participants
@mrichman
Copy link

commented Nov 21, 2018

I have an IAM user named Alice, and she's a member of the IAM group eks-admin.

The following configuration works, but when I remove Alice from mapUsers, kubectl commands give me the error error: You must be logged in to the server (Unauthorized).

Can't I add an IAM group to this ConfigMap, just like I can add a user or role?

aws sts get-caller-identity 
{
    "Account": "123456789012", 
    "UserId": "AIDAxxxxxxxxxxxxxxx", 
    "Arn": "arn:aws:iam::123456789012:user/Alice"
}
apiVersion: v1
data:
  mapRoles: |
    - rolearn: arn:aws:iam::123456789012:role/EKS-WorkerNodes-NodeInstanceRole-1R46GDBD928V5
      username: system:node:{{EC2PrivateDNSName}}
      groups: 
        - system:bootstrappers
        - system:nodes
  mapUsers: |
    - userarn: arn:aws:iam::123456789012:user/Alice
      username: alice
      groups: 
        - system:masters
    - userarn: arn:aws:iam::123456789012:group/eks-admin
      username: eks-admin
      groups: 
        - system:masters
@luthes

This comment has been minimized.

Copy link

commented Nov 28, 2018

Didn't read, you can only add roles and users.

I think this is a duplicate of # 157 (which is probably a duplicate of another, honestly)

@cschiewek

This comment has been minimized.

Copy link

commented Jan 23, 2019

Can we re-open this as a feature request? Managing permissions would be significantly improved if we could add groups.

@fejta-bot

This comment has been minimized.

Copy link

commented Jun 10, 2019

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.