search

AliyunContainerService / ack-ram-authenticator

Using Alibaba Cloud credentials to authenticate to a Kubernetes cluster
Apache License 2.0
31 stars 9 forks source link

Is it possible to use STS access key instead of RAM access key? #3

Closed andyzhang495 closed 5 years ago

andyzhang495 commented 5 years ago

The use case is I do the AssumeRole call elsewhere, get STS access key id/secret and SecurityToken beforehand and let ack-ram-authenticator use that credentials to communicate with the server?

To put it simply, how can I use SAML SSO with this?

haoshuwei commented 5 years ago

@andyzhang495 You can use STS Token now, example can be found in README.md like this:

{
  "AcsAccessKeyId": "xxxxxx",
  "AcsAccessKeySecret": "xxxxxx",
  "AcsAccessSecurityToken": "xxxxxx"
}

About the SAML SSO, this doc maybe helpful https://yq.aliyun.com/articles/712298 , more about SAML SSO on AlibabaCloud please access https://help.aliyun.com/document_detail/28627.html for reference. https://www.alibabacloud.com/help/product/28625.htm fo En version

andyzhang495 commented 5 years ago

Sorry for the late reply. @haoshuwei Thanks for your quick response and awesome job!

About SAML SSO, we're planning to use Role-based SSO which will generate an STS token if SSO is successful and use this STS token with ack-ram-authenticator. Like the use case with awscli, I can use the following kubeconf with aws-iam-authenticator:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: {{ .CaData }}
    server: {{ .ServerAddress }}
  name: {{ .ClusterName }}
contexts:
- context:
    cluster: {{ .ClusterName }}
    user: {{ .ClusterName }}
  name: {{ .ClusterName }}
current-context: {{ .ClusterName }}
kind: Config
preferences: {}
users:
- name: {{ .ClusterName }}
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - token
      - -i
      - {{ .TokenIdentity }}
      command: aws-iam-authenticator
      env:
      - name: AWS_PROFILE
        value: saml

The important part here is AWS_PROFILE being set to saml, which is a native login profile supported by awscli, which is implemented with AssumeRoleWithSAML. I saw Alibaba cloud also support this STS API. Is this feature on your roadmap?

haoshuwei commented 5 years ago

@andyzhang495 before you use aws-iam-authenticator in this way, you must get a AssumeRoleWithSAML STS Token first in other ways, is it right?

andyzhang495 commented 5 years ago

@haoshuwei Ah, I get the idea now. I need to implement a cli tool fetching STS token using AssumeRoleWithSAML and save it as a profile named saml. I thought awscli provides this functionality out of the box but I was wrong.

Closing this issue since the function is already added. Thanks for replying!