Kube Config with aws-iam-authenticator

[tolidano]

Here's a snip of how we were using aws-okta:

- name: test
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - exec
      - test
      - --
      - aws-iam-authenticator
      - token
      - -i
      - test-sre-k8s
      - -r
      - arn:aws:iam::ACCOUNT_ID:role/sre
      command: aws-okta
      env: null

How can I do this with saml2aws?

[tolidano]

Right now, what I'm doing is: 1) run saml2aws login 2) run s2a to put the creds into my env as env vars 3) modify this to just run aws-iam-authenticator directly

However, I'd like to be able to do the entire process after the kubectl command and let this yaml exec block handle it.

[lhw]

So I am in a similar situation. And I do have a "solution" for your problem.

users:
- name: example
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - exec
      - --
      - aws-iam-authenticator
      - token
      - -i
      - example
      - -r
      - arn:aws:iam::111111111111:role/admin
      command: saml2aws

But I am still looking if its possible to do the saml2aws login automatically for exec like its done for the console command. If not I'll have to do a PR for that. Distributing just saml2aws and aws-iam-authenticator with the kubeconfig would be great.

edit Not that easy apparently. The client-exec thing kubectl uses seems to capture all stdout.

[kuzaxak]

We are using small bash:

#!/bin/bash

profile=$1
shift

saml2aws --skip-prompt -a "$profile" login >&- 2>&-
exec saml2aws exec -a "$profile" $@

together with kube config:

    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - company-beta
      - --
      - aws-iam-authenticator
      - token
      - --forward-session-name
      - -i
      - cluster_name
      - -r
      - arn:aws:iam::XXXXX:role/XXX
      command: saml2aws-kube
      env: null

[danmx]

with credentials_process support (https://github.com/Versent/saml2aws/issues/120) and aws eks get-token you can resolve this issue

[kuzaxak]

with credentials_process support (#120) and aws eks get-token you can resolve this issue

We are not using EKS, just Kops cluster with aws-iam-authenticator.

Thank you for the link we will follow this feature and try it out.

[danmx]

@kuzaxak we are using kops with aws-iam-authenticator too. aws eks get-token just signs the token with SigV4 and it's not restricted to EKS.

[radityasurya]

@danmx I tried your approach but it seems that it crashed if saml2aws asked for an authentication code.

I am trying to update my kubeconfig to use the aws profile with credential_process, but it keep failing

~/.aws/config

[profile aws-developer]
credential_process = saml2aws login --role=arn:aws:iam::123456789:role/EKS_Administrator --profile=aws-developer --skip-prompt --quiet --credential-process --credentials-file=/home/radityasurya/.aws/saml2aws_credentials
region = eu-west-1

there is no aws-developer profile in the ~/.aws/credentials.

I configure saml2aws to write it to different file ~/.aws/saml2aws_credentials

[aws-developer]
aws_access_key_id        = redacted
aws_secret_access_key    = redacted
aws_session_token        = redacted
aws_security_token       = redacted
x_principal_arn          = redacted
x_security_token_expires = 2021-04-16T12:37:16+02:00

And this is my .kube/config

- name: arn:aws:eks:eu-west-1:123456789:cluster/dev-eks
    user:
        exec:
            apiVersion: client.authentication.k8s.io/v1alpha1
            args:
              - token
              - -i
              - dev-eks
              - --cache
              - --forward-session-name
            command: aws-iam-authenticator
            env:
              - name: AWS_PROFILE
                value: dev-developer

but when i tried to run kubectl get pods it could find any token

It works when I run saml2aws login but after the session expired, I cant access it

❯ kubectl get pods
No cached credential available.  Refreshing...
could not get token: ProcessProviderExecutionError: error in credential_process
caused by: exit status 1
No cached credential available.  Refreshing...
could not get token: ProcessProviderExecutionError: error in credential_process
caused by: exit status 1
No cached credential available.  Refreshing...
could not get token: ProcessProviderExecutionError: error in credential_process
caused by: exit status 1
No cached credential available.  Refreshing...
could not get token: ProcessProviderExecutionError: error in credential_process
caused by: exit status 1
No cached credential available.  Refreshing...
could not get token: ProcessProviderExecutionError: error in credential_process
caused by: exit status 1
Unable to connect to the server: getting credentials: exec: exit status 1

Is it possible to re-authenticate without saml2aws login? and do it with kubectl command?

[sledigabel]

Hi @radityasurya I suspect the problem is that saml2aws is prompting you for your 2FA when you use saml2aws login am I right? In which case I'm afraid the credential process cannot work as it's not taking any STDIN. You'll have to login in separately for the time being.

I was exploring an option to use a OS level prompter instead of the CLI for this which would render technically the saml2aws process synchronous from a login perspective but haven't got the chance to experiment with it yet.

[radityasurya]

@sledigabel yeah, it asked for 2FA, and it crashed.

So basically as a workaround when it couldn't find any credentials, it needs to be supplied from saml2aws login right?

[sledigabel]

yeah I don't think the credential process is going to give you a lot of value here; I'd revert to using saml2aws login and write the credentials to the default location, at least for now.