Containers-roadmap: [EKS] [request]: IAM Role Traceability

Created on 27 Jan 2020  路  4Comments  路  Source: aws/containers-roadmap

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
What do you want us to build?
Add AWS AccessKeyID as an extra field in UserInfo so the user who took an action against the k8s API appears in the Kubernetes audit log, see https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/286 for further information.

Which service(s) is this request for?
EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
What outcome are you trying to achieve, ultimately, and why is it hard/impossible to do right now? What is the impact of not having this problem solved? The more details you can provide, the better we'll be able to understand and solve the problem.

Are you currently working around this issue?
How are you currently solving this problem?
Using the aws-iam-authenticator with the --forward-session-name flag which is not reliable.

Additional context
Anything else we should know?

Attachments
If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)

EKS Proposed
Source
picture jicowan
👍54

Most helpful comment

Closing as we have rolled out this feature for all new 1.15 clusters with platform version eks.2. Existing clusters will be updated with this functionality over the next few weeks.

picture mikestef9 on 16 Apr 2020
3

All 4 comments

traceability in EKS is a huge issue for all who needs audit logs for HIPAA and other government related accounts.

els-dfw-2020 picture els-dfw-2020 on 6 Mar 2020

I would love to see this feature land real soon. It will soon become a blocker for us rolling out some production workloads. We switched to manage IAM Role mapping to save on operational overhead but we have now lost traceability

shackit picture shackit on 7 Apr 2020

Based on EKS doc, the feature is already available on EKS using 1.15.11 version. It includes the update to the server side AWS IAM Authenticator.

leandrocostam picture leandrocostam on 16 Apr 2020

Closing as we have rolled out this feature for all new 1.15 clusters with platform version eks.2. Existing clusters will be updated with this functionality over the next few weeks.

mikestef9 picture mikestef9 on 16 Apr 2020
3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

AndrewMcFarren picture AndrewMcFarren  路  3Comments
jeremietharaud picture jeremietharaud  路  3Comments
chungath picture chungath  路  3Comments
groodt picture groodt  路  3Comments
talawahtech picture talawahtech  路  3Comments