Skip to content
/ aws-auth Public
forked from keikoproj/aws-auth

Manage the aws-auth config map for EKS Kubernetes clusters

License

Apache-2.0 license
0 stars 26 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

eytan-avisror/aws-auth

BranchesTags
 
 

Repository files navigation

aws-auth

Build Status codecov

Makes the management of the aws-auth config map for EKS Kubernetes clusters easier

Use cases

  • make bootstrapping a node group or removing/adding user access on EKS fast and easy

  • useful for automation purposes, any workflow that needs to grant IAM access to an EKS cluster can use this library to modify the config map.

  • run as part of a workflow on kubernetes using a docker image

Install

$ go get github.com/keikoproj/aws-auth

Usage from command line or Krew

Either download/install a released binary or add as a plugin to kubectl via Krew

$ kubectl krew update
$ kubectl krew install aws-auth
Installing plugin: aws-auth
Installed plugin: aws-auth

$ kubectl krew aws-auth
aws-auth modifies the aws-auth configmap on eks clusters

Usage:
  aws-auth [command]

Available Commands:
  help               Help about any command
  remove             remove removes a user or role from the aws-auth configmap
  remove-by-username remove-by-username removes all map roles and map users from the aws-auth configmap
  upsert             upsert updates or inserts a user or role to the aws-auth configmap
  version            Version of aws-auth

Flags:
  -h, --help   help for aws-auth

Use "aws-auth [command] --help" for more information about a command.

Given a config map with the following data:

$ kubectl get configmap aws-auth -n kube-system -o yaml
apiVersion: v1
kind: ConfigMap
metadata:
    name: aws-auth
    namespace: kube-system
data:
  mapRoles: |
    - rolearn: arn:aws:iam::555555555555:role/devel-worker-nodes-NodeInstanceRole-74RF4UBDUKL6
      username: system:node:{{EC2PrivateDNSName}}
      groups:
        - system:bootstrappers
        - system:nodes
    - rolearn: arn:aws:iam::555555555555:role/abc
      username: ops-user
      groups:
        - system:masters
  mapUsers: |
    - userarn: arn:aws:iam::555555555555:user/a-user
      username: admin
      groups:
        - system:masters
    - userarn: arn:aws:iam::555555555555:user/a-user
      username: ops-user
      groups:
        - system:masters

Remove all access belonging to an ARN (both mapUser roles will be removed)

$ aws-auth remove --mapusers --userarn arn:aws:iam::555555555555:user/a-user
removed arn:aws:iam::555555555555:user/a-user from aws-auth

Remove by full match (only mapUsers[0] will be removed)

$ aws-auth remove --mapusers --userarn arn:aws:iam::555555555555:user/a-user --username admin --groups system:masters
removed arn:aws:iam::555555555555:user/a-user from aws-auth

Remove based on a username

This command removes all map roles and map users that have matching input username. In the above configmap, map role for roleARN arn:aws:iam::555555555555:role/abc and mapUser for userARN arn:aws:iam::555555555555:user/a-user will be removed.

$ aws-auth remove-by-username --username ops-user

Bootstrap a new node group role

$ aws-auth upsert --maproles --userarn arn:aws:iam::555555555555:role/my-new-node-group-NodeInstanceRole-74RF4UBDUKL6 --username system:node:{{EC2PrivateDNSName}} --groups system:bootstrappers system:nodes
added arn:aws:iam::555555555555:role/my-new-node-group-NodeInstanceRole-74RF4UBDUKL6 to aws-auth

You can also add retries with exponential backoff

$ aws-auth upsert --maproles --userarn arn:aws:iam::555555555555:role/my-new-node-group-NodeInstanceRole-74RF4UBDUKL6 --username system:node:{{EC2PrivateDNSName}} --groups system:bootstrappers system:nodes --retry

Retries are configurable using the following flags

      --retry                     Retry on failure with exponential backoff
      --retry-max-count int       Maximum number of retries before giving up (default 12)
      --retry-max-time duration   Maximum wait interval (default 30s)
      --retry-min-time duration   Minimum wait interval (default 200ms)

Append groups to mapping instead of overwriting by using --append

aws-auth upsert --maproles --rolearn arn:aws:iam::00000000000:role/test --username test --groups test --append

Avoid overwriting username by using --update-username=false

aws-auth upsert --maproles --rolearn arn:aws:iam::00000000000:role/test --username test2 --groups test --update-username=false

Usage as a library

package main

import (
    awsauth "github.com/keikoproj/aws-auth/pkg/mapper"
)

func someFunc(client kubernetes.Interface) error {
    awsAuth := awsauth.New(client, false)
    myUpsertRole := &awsauth.MapperArguments{
        MapRoles: true,
        RoleARN:  "arn:aws:iam::555555555555:role/my-new-node-group-NodeInstanceRole-74RF4UBDUKL6",
        Username: "system:node:{{EC2PrivateDNSName}}",
        Groups: []string{
            "system:bootstrappers",
            "system:nodes",
        },
        WithRetries: true,
        MinRetryTime:   time.Millisecond * 100,
        MaxRetryTime:   time.Second * 30,
        MaxRetryCount:  12,
    }

    err = awsAuth.Upsert(myUpsertRole)
    if err != nil {
        return err
    }
}

Run in a container

$ docker run \
-v ~/.kube/:/root/.kube/ \
-v ~/.aws/:/root/.aws/ \
keikoproj/aws-auth:latest \
aws-auth upsert --mapusers \
--userarn arn:aws:iam::555555555555:user/a-user \
--username admin \
--groups system:masters

About

Manage the aws-auth config map for EKS Kubernetes clusters

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v0.0.0 Latest
Apr 8, 2022

Packages

No packages published

Languages

  • Go 98.2%
  • Other 1.8%