SessionName is populated as EKSGetTokenAuth in audit logs
cablunar opened this issue · comments
After switcing to aws-cli for authentication in my kubeconfig files, I have problems with our kubernetes audit logs.
All audit logs do not include the username from the authenticated user, but are instead replaced with EKSGetTokenAuth
Any info on what to change, to get the actual username is highly appreciated
I'm using aws-cli to authenticate the user with kubectl.
kubeconfig:
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- --region
- us-east-1
- eks
- get-token
- --cluster-name
- capi-cluster
- --role-arn
- arn:aws:iam::XXXXXXX:role/kadmin
command: aws
aws-auth configmap, used by aws-iam-authenticator deployment inside the cluster:
config.yaml: |-
clusterID: capi-cluster
server:
mapRoles:
- roleARN: arn:aws:iam::xxxxx:role/kadmin
username: "kadmin::{{SessionName}}"
groups:
- aws:kadmin
Output from aws-iam-authenticator
time="2022-09-08T10:53:59Z" level=info msg="STS response" accesskeyid=XXXXXXX accountid=XXXXXXX arn="arn:aws:sts::XXXXXXX:assumed-role/kadmin/EKSGetTokenAuth" client="127.0.0.1:40414" method=POST path=/authenticate session=EKSGetTokenAuth userid=XXXXXXX
time="2022-09-08T10:53:59Z" level=info msg="access granted" arn="arn:aws:iam::XXXXXXX:role/kadmin" client="127.0.0.1:40414" groups="[aws:kadmin]" method=POST path=/authenticate uid="aws-iam-authenticator:XXXXXXX:XXXXXXX" username="kadmin::EKSGetTokenAuth"
Hi, since you set the --role-arn
field in the aws eks get-token
command, the CLI is performing a new role assumption (sts:AssumeRole
) with a new session name
- --role-arn
- arn:aws:iam::XXXXXXX:role/kadmin
If you drop those arguments, the AWS CLI will directly use the AWS credentials with the given role and session name.
If you actually intend to assume the arn:aws:iam::XXXXXXX:role/kadmin
role from some other role, you can use your AWS config file to control the session name, and specify that profile via AWS_PROFILE
in your $KUBECONFIG
.
~/.aws/config.ini
[profile kadmin]
role_arn = arn:aws:iam::XXXXXXX:role/kadmin
role_session_name = you-name-it
source_profile = some_other_profile
~/.kube/config
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- --region
- us-east-1
- eks
- get-token
- --cluster-name
- capi-cluster
command: aws
env:
- name: AWS_PROFILE
value: kadmin