Aws-vault: Using along with aws-iam-authenticator

Created on 27 Feb 2019  路  6Comments  路  Source: 99designs/aws-vault

I'm trying to using aws-vault with `aws-iam-authenticator

This is the users block of the kubeconfig file.

  - name: mycluster-aws-auth
    user:
      exec:
        apiVersion: client.authentication.k8s.io/v1alpha1
        args:
          - token
          - -i
          - mycluster
        command: aws-vault exec kubernetes-admin -- aws-iam-authenticator

What I get when I try to run it is this error:

Unable to connect to the server: getting token: exec: exec: "aws-vault exec kubernetes-admin -- aws-iam-authenticator": executable file not found in $PATH
stale

Most helpful comment

I had luck with something similar to below. If the --forward-session-name argument causes issues you can comment it out or get a newer version of aws-iam-authenticator. The role should be the same one you used when you configured the server side component of aws-iam-authenticator.

- name: mycluster-aws-auth
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      command: aws-vault
      args:
        - "exec"
        - "default"
        - "--"
        -  "aws-iam-authenticator"
        - "token"
        - "-i"
        - "mycluster"
        - "--role"
        - "arn::ROLE_TO_ASSUME"
        - "--forward-session-name"

All 6 comments

I had luck with something similar to below. If the --forward-session-name argument causes issues you can comment it out or get a newer version of aws-iam-authenticator. The role should be the same one you used when you configured the server side component of aws-iam-authenticator.

- name: mycluster-aws-auth
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      command: aws-vault
      args:
        - "exec"
        - "default"
        - "--"
        -  "aws-iam-authenticator"
        - "token"
        - "-i"
        - "mycluster"
        - "--role"
        - "arn::ROLE_TO_ASSUME"
        - "--forward-session-name"

If you still run into the same issue try to use the fully qualified paths which you can find by doing

which aws-vault
which aws-iam-authenticator

Increasing the debug verbosity for the kubectl command might also help you track down further errors e.g.

kubectl -v=8 get pods

@jasonbrownbridge thanks a lot. it worked like a charm

In case it's useful, I ended up embedding a shell script in my ~/.kube/config to allow for more flexible aws-vault usage. This script lets you enter an aws-vault exec shell and use kubectl commands without the overhead of calling into vault for each command. It also blocks you from accidentally being in the wrong vault.

- name: aws-vault@mgmt-use1
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - -c
      - |
        Profile="mgmt"
        EksCluster="mgmt-use1"
        AuthCmd="aws-iam-authenticator token -i $EksCluster --forward-session-name"
        if [ -z "$AWS_VAULT" ]
        then exec aws-vault exec $Profile -- $AuthCmd
        elif [ "$AWS_VAULT" = "$Profile" ]
        then exec $AuthCmd
        else
        >&2 echo "--> Currently in $AWS_VAULT account, but tried accessing cluster in $Profile"
        exit 1
        fi
      command: sh
      env: null

Update Profile and EksCluster to match your needs, the rest of the script can remain.

As far as the OP issue - command is fed into the OS raw, so the OS was looking for a binary literally named like that long multiword string. The vault args are in the wrong place in the yaml.

Please do add these tips to the USAGE.md doc in a PR!

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Was this page helpful?
0 / 5 - 0 ratings