Giters

kubernetes-sigs / aws-iam-authenticator

A tool to use AWS IAM credentials to authenticate to a Kubernetes cluster

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

SessionName is populated as EKSGetTokenAuth in audit logs

cablunar opened this issue · comments

commented

After switcing to aws-cli for authentication in my kubeconfig files, I have problems with our kubernetes audit logs.
All audit logs do not include the username from the authenticated user, but are instead replaced with EKSGetTokenAuth

Any info on what to change, to get the actual username is highly appreciated 👍

I'm using aws-cli to authenticate the user with kubectl.
kubeconfig:

user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - --region
      - us-east-1
      - eks
      - get-token
      - --cluster-name
      - capi-cluster
      - --role-arn
      - arn:aws:iam::XXXXXXX:role/kadmin
      command: aws

aws-auth configmap, used by aws-iam-authenticator deployment inside the cluster:

  config.yaml: |-
    clusterID: capi-cluster
    server:
      mapRoles:
      - roleARN: arn:aws:iam::xxxxx:role/kadmin
        username: "kadmin::{{SessionName}}"
        groups:
        - aws:kadmin

Output from aws-iam-authenticator

time="2022-09-08T10:53:59Z" level=info msg="STS response" accesskeyid=XXXXXXX accountid=XXXXXXX arn="arn:aws:sts::XXXXXXX:assumed-role/kadmin/EKSGetTokenAuth" client="127.0.0.1:40414" method=POST path=/authenticate session=EKSGetTokenAuth userid=XXXXXXX
time="2022-09-08T10:53:59Z" level=info msg="access granted" arn="arn:aws:iam::XXXXXXX:role/kadmin" client="127.0.0.1:40414" groups="[aws:kadmin]" method=POST path=/authenticate uid="aws-iam-authenticator:XXXXXXX:XXXXXXX" username="kadmin::EKSGetTokenAuth"
commented

Hi, since you set the --role-arn field in the aws eks get-token command, the CLI is performing a new role assumption (sts:AssumeRole) with a new session name

      - --role-arn
      - arn:aws:iam::XXXXXXX:role/kadmin

If you drop those arguments, the AWS CLI will directly use the AWS credentials with the given role and session name.

If you actually intend to assume the arn:aws:iam::XXXXXXX:role/kadmin role from some other role, you can use your AWS config file to control the session name, and specify that profile via AWS_PROFILE in your $KUBECONFIG.

~/.aws/config.ini

[profile kadmin]
role_arn = arn:aws:iam::XXXXXXX:role/kadmin
role_session_name = you-name-it
source_profile = some_other_profile

~/.kube/config

user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - --region
      - us-east-1
      - eks
      - get-token
      - --cluster-name
      - capi-cluster
      command: aws
      env:
      - name: AWS_PROFILE
        value: kadmin