Containers-roadmap: [EKS] [request]: MapGroups in ConfigMap
Tell us about your request
In order to grant access to a group of users to an EKS cluster, I'd like to map a whole IAM group in the ConfigMap. Similar to "mapRoles" and "mapUsers", I'd like to use something like "mapGroups" and inform a group arn.
Which service(s) is this request for?
EKS
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
In order to map a group of users to grant access to the EKS cluster, with current configMap specifications, the way to do it is to map each individual user by editing the configMap with "mapUsers".
Are you currently working around this issue?
The current workaround for this is to create a IAM policy that allows the group to assume a role that has access to the cluster and is mapped in the configMap. Then, assume the role before accessing the cluster with a command like: aws sts assume-role --role-arn arn:aws:iam::123456789:role/EKS-test-role --role-session-name
Additional context
Please let me know if this is a valid feature request. Maybe there's something here I'm missing, but I think it should be ok to map a IAM group arn to grant access to the EKS cluster.
vitorgou
All 13 comments
+1
I was looking up documentation online for this same scenario, and happened to find this issue. Our engineers are put into groups for organizational purposes, it would be great to be able to leverage that organization in EKS.
mjrmyke
on 6 Feb 2019
+1
rtkgjacobs
on 6 Feb 2019
Cross linking the issue on the authenticator - https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/176
Thanks for filing this. Technically the difficulty with this is IAM groups don't support the get-caller-identity request with the AWS IAM Authenticator uses to validate users on the control plane. Would be good to explore other options to make this easier.
christopherhein
on 16 Feb 2019
+1
This would be great way to organize our team's permissions.
avandijk42
on 21 Feb 2019
+1
onkymykiss1
on 22 Feb 2019
I'm currently using https://github.com/ygrene/iam-eks-user-mapper as a workaround to this problem. It would be great if we could get this feature implemented.
wstewartii
on 14 Mar 2019
@wstewartii I was thinking to use this as well, but doesn't it kill the API call limit to aws?
omerh
on 28 Apr 2019
+1
1juandiaz
on 2 May 2019
- Attach a policy to the Group that grants permission to call sts:AssumeRole on the desired Role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "123",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::123456789:role/
]
}
]
}
2) Also, attach a Trust Policy on the Role. The sample policy (below) trusts any user in the account, but they would also need sts:AssumeRole permissions (above) to assume the role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789:root"
},
"Action": "sts:AssumeRole"
}
]
}
- Add the role arn to the configMap as below.
- rolearn: arn:aws:iam::123456789:role/
username: system:*
groups:
- system:masters
4) Save the file and apply the configMap.
5) Now test with another user which belongs to the group.
MKrupA5
on 30 May 2019
nit: any chance someone can go in and format those json blobs?
anderson-dan-w
on 14 Dec 2019
As a workaround, I've made a simple script for mapping IAM group members to RBAC group:
https://gist.github.com/pmatv/f059d11fa431d7141f60455ae6243608
pmatv
on 4 Mar 2020
@pmatv I'm getting a 404
iamsudip
on 6 May 2020
@iamsudip I'm corrected the URL, thanks
pmatv
on 7 May 2020
Related issues
yavor-atanasov
路
3Comments
talawahtech
路
3Comments
pauldougan
路
3Comments
inductor
路
3Comments
aliabas7
路
3Comments
Most helpful comment
I'm currently using https://github.com/ygrene/iam-eks-user-mapper as a workaround to this problem. It would be great if we could get this feature implemented.