Containers-roadmap: [EKS] [request]: add an ability to view and update "the IAM entity user or role ... [that] is automatically granted system:masters permissions in the cluster's RBAC configuration"
Community Note
- Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Tell us about your request
Managing users or IAM roles for your cluster and How Amazon EKS works with IAM claim the following:
When you create an Amazon EKS cluster, the IAM entity user or role, such as a federated user that creates the cluster, is automatically granted system:masters permissions in the cluster's RBAC configuration.
I found no way to view or change what that IAM entity is for a given cluster. Documentation in aws-iam-authenticator suggests that there is a configuration file for aws-iam-authenticator server, which presumably contains a reference to that IAM entity, but I found no way of accessing that configuration.
I want you to add information about privileged IAM entity to the EKS DescribeCluster response and ability to change it with a EKS UpdateClusterConfig request.
Which service(s) is this request for?
EKS
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
I want a specific IAM user that created the cluster (me) to not have cluster-admin access by default. I've switched to using roles with view access by default, but sometimes I forget to assume the role, and get cluster-admin access by nature of being the IAM user that created the cluster. Not having a way of changing privileged IAM entity maintains a risk of accidental modification of the cluster.
I also want my colleagues to have a way to modify aws-auth ConfigMap without the fear of being locked out, in case I'm not available with my default cluster-admin access. Not having a way of changing privileged IAM entity maintains a risk of having no way to remedy access revoking changes in aws-auth other than re-creating the cluster.
Are you currently working around this issue?
No, the risks above are not mitigated.
Additional context
N/A
Attachments
N/A
evgenii-petrov-arrival
All 3 comments
This is super important to be able to either edit users from aws or set what user/role would be the admin.
My use case is that the creator of the EKS cluster is terraform cloud using a dedicated terraform user. I was unable to login to k8s until I had to use that user's credentials.
yardensachs
on 1 Jun 2020
This problem is compounded when you introduce managed node groups. When this is done, apparently AWS automatically adds the node role to aws-auth, which means you can't easily update it with IaC tools like Terraform without great contortions
nickatsegment
on 15 Jun 2020
I was able to at least view the IAM user/role used to create the cluster by using Cloud Trail:
To identify who is the cluster creator, you can user the CloudTrail console on "Event History" you can filter by "Event name" and select "CreateCluster", it will list the event used to create the cluster, there you will be able to see the identity (user or role) that was used to create the cluster.
michelzanini
on 17 Sep 2020
Related issues
adlemich
路
3Comments
MartinDevillers
路
3Comments
mineiro
路
3Comments
yavor-atanasov
路
3Comments
clareliguori
路
3Comments
Most helpful comment
This problem is compounded when you introduce managed node groups. When this is done, apparently AWS automatically adds the node role to
aws-auth, which means you can't easily update it with IaC tools like Terraform without great contortions