Closed andyzhang495 closed 5 years ago
@andyzhang495 You can use STS Token now, example can be found in README.md like this:
{
"AcsAccessKeyId": "xxxxxx",
"AcsAccessKeySecret": "xxxxxx",
"AcsAccessSecurityToken": "xxxxxx"
}
About the SAML SSO, this doc maybe helpful https://yq.aliyun.com/articles/712298 , more about SAML SSO on AlibabaCloud please access https://help.aliyun.com/document_detail/28627.html for reference. https://www.alibabacloud.com/help/product/28625.htm fo En version
Sorry for the late reply. @haoshuwei Thanks for your quick response and awesome job!
About SAML SSO, we're planning to use Role-based SSO which will generate an STS token if SSO is successful and use this STS token with ack-ram-authenticator. Like the use case with awscli
, I can use the following kubeconf with aws-iam-authenticator:
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: {{ .CaData }}
server: {{ .ServerAddress }}
name: {{ .ClusterName }}
contexts:
- context:
cluster: {{ .ClusterName }}
user: {{ .ClusterName }}
name: {{ .ClusterName }}
current-context: {{ .ClusterName }}
kind: Config
preferences: {}
users:
- name: {{ .ClusterName }}
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- token
- -i
- {{ .TokenIdentity }}
command: aws-iam-authenticator
env:
- name: AWS_PROFILE
value: saml
The important part here is AWS_PROFILE
being set to saml
, which is a native login profile supported by awscli
, which is implemented with AssumeRoleWithSAML
. I saw Alibaba cloud also support this STS API. Is this feature on your roadmap?
@andyzhang495 before you use aws-iam-authenticator in this way, you must get a AssumeRoleWithSAML STS Token first in other ways, is it right?
@haoshuwei Ah, I get the idea now. I need to implement a cli tool fetching STS token using AssumeRoleWithSAML and save it as a profile named saml
. I thought awscli provides this functionality out of the box but I was wrong.
Closing this issue since the function is already added. Thanks for replying!
The use case is I do the
AssumeRole
call elsewhere, get STS access key id/secret andSecurityToken
beforehand and let ack-ram-authenticator use that credentials to communicate with the server?To put it simply, how can I use SAML SSO with this?