Integrate AWS Identity with EKS Auth

[kferrone]

What problem are you facing?

There is no declarative way of mapping IAM resources to the EKS aws-auth ConfigMap. When creating any of the resources from identity.aws.crossplane.io, you would still have to manually update the aws-auth configmap.

How could Crossplane help solve your problem?

Maybe there could be an optional feature on the identity.aws.crossplane.io resources which could integrate with the EKS aws-auth ConfigMap.

The resource could look like so:

apiVersion: identity.aws.crossplane.io/v1alpha1
kind: IAMUser
metadata:
  name: admin-user
spec:
  reclaimPolicy: Retain
  providerRef:
    name: aws-provider
  forProvider:
    path: /
    eksGroups:
    - system:masters

Then in the aws-auth ConfigMap, there would be a new entry for the user like so:

mapUsers: |
  - userarn: arn:aws:iam::555555555555:user/admin-user
    username: admin-user
    groups:
      - system:masters

Here are the docs to how to map IAM to k8s for OIDC/Oath2: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html

[janwillies]

This is connected to crossplane/crossplane#1641

Some prior art:

• https://github.com/TierMobility/aws-auth-operator
• https://github.com/jicowan/group-operator
• https://github.com/keikoproj/aws-auth
• https://github.com/ygrene/iam-eks-user-mapper
• https://github.com/keikoproj/iam-manager

[cdenneen]

This would also need to provide adding mapRoles to the configMap.

[kferrone]

I've actually solved this issue long time ago.
The compositions have the combine string strategy on the patches.
From the composition which creates my cluster, it creates the aws-auth for me.

I have also learned the wonders of Mutating Webhooks in k8s which can handle this task well.

[cdenneen]

@kferrone do you have working example?

[kferrone]

Sure. Here is the item in the resources array within the composition:

name: eks-aws-auth-config
base:
  apiVersion: kubernetes.crossplane.io/v1alpha1
  kind: Object
  spec:
    deletionPolicy: Orphan
    forProvider:
      manifest:
        apiVersion: v1
        kind: ConfigMap
        metadata:
          name: aws-auth
          namespace: kube-system
        data:
          mapRoles: ""
          mapUsers: ""
patches:
- &lbls
  type: PatchSet
  patchSetName: labels
- fromFieldPath: &name metadata.name
  transforms:
  - type: string
    string:
      fmt: "%s-aws-auth"
- fromFieldPath: *name
  toFieldPath: spec.providerConfigRef.name

- fromFieldPath: spec.parameters.awsAuth.mapAccounts
  toFieldPath: spec.forProvider.manifest.data.mapAccounts
- fromFieldPath: spec.parameters.awsAuth.mapUsers
  toFieldPath: spec.forProvider.manifest.data.mapUsers

# now add the data
- type: CombineFromComposite
  toFieldPath: spec.forProvider.manifest.data.mapRoles
  combine:
    variables:
    - fromFieldPath: status.ngRoleArn
    - fromFieldPath: spec.parameters.awsAuth.mapRoles
    strategy: string
    string:
      fmt: |
        - rolearn: %s
          username: system:node:{{EC2PrivateDNSName}}
          groups:
          - system:bootstrappers
          - system:nodes
        %s

I'm currently writing a Python webhook to select the Roles based on certain labels. It's not high priority for me so it may take a while.

[MMartyn]

@kferrone I must be missing something from your example. What is status.ngRoleArn and where does it come from? What does the definition for the awsAuth.mapRoles parameter look like? Is it a string or an array of strings?

Thanks in advance.

[kferrone]

So the status.ngRoleArn is the role arn of an IAM role I created for the NodeGroups to use. In the patches of the IAM role I put the ARN back onto the status. The status in the definition is how Crossplane shares variables amongst resources. I only provided one resource from a very large Composition which is mostly generated, ie it's complicated.

Basically in the patches of the IAM role:

name: ng-role
base:
  apiVersion: iam.aws.crossplane.io/v1beta1
  kind: Role
  ...
patches:
...
- type: ToCompositeFieldPath
  fromFieldPath: status.atProvider.arn
  toFieldPath: status.ngRoleArn

Lastly, all of the keys on the aws-auth ConfigMap are simply strings with yaml inside. It's just a ConfigMap.

I personally don't use the MapUsers section fyi, so I didn't actually patch it in my case.

[MMartyn]

Thanks. I did end up figuring out that I needed to add that ToCompositeFieldPath when I re-read this. Still can't get it to work but this is a good start.

[MMartyn]

One more note for anyone that stumbles upon this thread. To store the composite fields your definition needs to define them. See: crossplane/crossplane#2300 (comment)

[ralf-cestusio]

I seem to have a massive block imagining how the mapRoles parameter is supposed to look like,

Has any of you a example of the definition and data?

[grglzrv]

Hey

[grglzrv]

Hey👋, I'm wondering if anyone can share his composition and definition how to add/map user to aws-auth configmap. It would be very useful for everyone that stuck here.