Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[EKS] [bugfix]: Federated roles containing paths don't work properly with EKS #573

Closed
luizsoares opened this issue Nov 12, 2019 · 6 comments
Closed

[EKS] [bugfix]: Federated roles containing paths don't work properly with EKS #573

luizsoares opened this issue Nov 12, 2019 · 6 comments
Labels
EKS Amazon Elastic Kubernetes Service Proposed Community submitted issue

Comments

@luizsoares
Copy link

Greetings,

I apologize if this is not the right venue for this. I have tried to post this in the forums but I was greeted with a 500 error :(

I have authentication issues while issuing kubectl commands against an EKS cluster, while assuming a role through Okta. The role ARN is arn:aws:iam::XXXXXXXXXXXX:role/teams/tooling/dev-tooling-operator
Upon examining the authenticator logs, I noticed that IAM(?) is reporting an ARN without the path in it back to the authenticator:

time="2019-11-12T22:05:47Z" level=warning msg="access denied" arn="arn:aws:iam::XXXXXXXXXXXX:role/dev-tooling-operator" client="127.0.0.1:49822" error="ARN is not mapped: arn:aws:iam::XXXXXXXXXXXX:role/dev-tooling-operator" method=POST path=/authenticate

Are you currently working around this issue?
I recreated my IAM roles without paths in them.

Is this really the expected behaviour or is it indeed a bug?
Regards,
Luiz
@luizsoares luizsoares added the Proposed Community submitted issue label Nov 12, 2019
@alfredkrohmer
Copy link

You need to map the role without the path in the aws-auth configmap. Reason seems to be that the authenticator only has the result of STS' GetCallerIdentity (which doesn't have the role path) at hand when comparing the mapping.

@mikestef9 mikestef9 added the EKS Amazon Elastic Kubernetes Service label Jan 14, 2020
@eytanhanig
Copy link

I can confirm that this works for non-federated roles as well.

@dpiddockcmp dpiddockcmp mentioned this issue May 30, 2020
Closed
@rafaelpereyra rafaelpereyra mentioned this issue Apr 21, 2021
Closed
@sftim
Copy link

sftim commented Aug 5, 2022

This is relevant to #474

@sftim
Copy link

sftim commented Aug 5, 2022

Tracked in aws-iam-authenticator as kubernetes-sigs/aws-iam-authenticator#153

@portswigger-tim
Copy link

In case anyone wanders into this... After hours of thinking, screaming, contemplating... I had to do this in CDK world that adds a duplicate role mapping for the node role without the path:

....
....
     node_role = iam.Role(
            self,
            f"EksBootstrapNodeRole",
            assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"),
            description=f"Node role for EKS cluster: {cluster_name}",
            path="/ci-runners/",
            managed_policies=[
                iam.ManagedPolicy.from_aws_managed_policy_name(
                    "AmazonEKSWorkerNodePolicy"
                ),
                iam.ManagedPolicy.from_aws_managed_policy_name(
                    "AmazonEC2ContainerRegistryReadOnly"
                ),
                iam.ManagedPolicy.from_aws_managed_policy_name(
                    "AmazonSSMManagedInstanceCore"
                ),
            ],
        )

        # aws-iam-authenticator removes path from the assumed-role causing Kubernetes authenticator to fail server-side.
        role_arn_for_aws_auth = Fn.join(
            "",
            [
                "arn:",
                Aws.PARTITION,
                ":iam::",
                Aws.ACCOUNT_ID,
                ":role/",
                node_role.role_name,
            ],
        )

        role_for_aws_auth = iam.Role.from_role_arn(
            self, "EksBootstrapNodeRoleForAwsAuth", role_arn_for_aws_auth
        )

        cluster.aws_auth.add_role_mapping(
            role_for_aws_auth,
            username="system:node:{{EC2PrivateDNSName}}",
            groups=[
                "system:bootstrappers",
                "system:nodes",
            ],
        )
    ....
    ....

This was referenced Jan 20, 2023
Open
Open
@oreonl oreonl mentioned this issue Mar 21, 2023
Closed
3 tasks
@mikestef9 mikestef9 mentioned this issue May 30, 2023
Closed
@mikestef9
Copy link
Contributor

Addressed with #185

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
EKS Amazon Elastic Kubernetes Service Proposed Community submitted issue
Projects
containers-roadmap
Status: Shipped
Milestone
No milestone
Development

No branches or pull requests
6 participants
@luizsoares @alfredkrohmer @mikestef9 @eytanhanig @sftim @portswigger-tim