Open tolidano opened 4 years ago
Right now, what I'm doing is: 1) run saml2aws login 2) run s2a to put the creds into my env as env vars 3) modify this to just run aws-iam-authenticator directly
However, I'd like to be able to do the entire process after the kubectl command and let this yaml exec block handle it.
So I am in a similar situation. And I do have a "solution" for your problem.
users:
- name: example
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- exec
- --
- aws-iam-authenticator
- token
- -i
- example
- -r
- arn:aws:iam::111111111111:role/admin
command: saml2aws
But I am still looking if its possible to do the saml2aws login automatically for exec like its done for the console command. If not I'll have to do a PR for that. Distributing just saml2aws and aws-iam-authenticator with the kubeconfig would be great.
edit Not that easy apparently. The client-exec thing kubectl uses seems to capture all stdout.
We are using small bash:
#!/bin/bash
profile=$1
shift
saml2aws --skip-prompt -a "$profile" login >&- 2>&-
exec saml2aws exec -a "$profile" $@
together with kube config:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- company-beta
- --
- aws-iam-authenticator
- token
- --forward-session-name
- -i
- cluster_name
- -r
- arn:aws:iam::XXXXX:role/XXX
command: saml2aws-kube
env: null
with credentials_process
support (https://github.com/Versent/saml2aws/issues/120) and aws eks get-token
you can resolve this issue
with
credentials_process
support (#120) andaws eks get-token
you can resolve this issue
We are not using EKS, just Kops cluster with aws-iam-authenticator.
Thank you for the link we will follow this feature and try it out.
@kuzaxak we are using kops
with aws-iam-authenticator
too. aws eks get-token
just signs the token with SigV4 and it's not restricted to EKS.
@danmx I tried your approach but it seems that it crashed if saml2aws asked for an authentication code.
I am trying to update my kubeconfig to use the aws profile with credential_process, but it keep failing
~/.aws/config
[profile aws-developer]
credential_process = saml2aws login --role=arn:aws:iam::123456789:role/EKS_Administrator --profile=aws-developer --skip-prompt --quiet --credential-process --credentials-file=/home/radityasurya/.aws/saml2aws_credentials
region = eu-west-1
there is no aws-developer profile in the ~/.aws/credentials.
I configure saml2aws to write it to different file ~/.aws/saml2aws_credentials
[aws-developer]
aws_access_key_id = redacted
aws_secret_access_key = redacted
aws_session_token = redacted
aws_security_token = redacted
x_principal_arn = redacted
x_security_token_expires = 2021-04-16T12:37:16+02:00
And this is my .kube/config
- name: arn:aws:eks:eu-west-1:123456789:cluster/dev-eks
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- token
- -i
- dev-eks
- --cache
- --forward-session-name
command: aws-iam-authenticator
env:
- name: AWS_PROFILE
value: dev-developer
but when i tried to run kubectl get pods
it could find any token
It works when I run saml2aws login
but after the session expired, I cant access it
❯ kubectl get pods
No cached credential available. Refreshing...
could not get token: ProcessProviderExecutionError: error in credential_process
caused by: exit status 1
No cached credential available. Refreshing...
could not get token: ProcessProviderExecutionError: error in credential_process
caused by: exit status 1
No cached credential available. Refreshing...
could not get token: ProcessProviderExecutionError: error in credential_process
caused by: exit status 1
No cached credential available. Refreshing...
could not get token: ProcessProviderExecutionError: error in credential_process
caused by: exit status 1
No cached credential available. Refreshing...
could not get token: ProcessProviderExecutionError: error in credential_process
caused by: exit status 1
Unable to connect to the server: getting credentials: exec: exit status 1
Is it possible to re-authenticate without saml2aws login? and do it with kubectl command?
Hi @radityasurya I suspect the problem is that saml2aws is prompting you for your 2FA when you use saml2aws login
am I right? In which case I'm afraid the credential process cannot work as it's not taking any STDIN.
You'll have to login in separately for the time being.
I was exploring an option to use a OS level prompter instead of the CLI for this which would render technically the saml2aws process synchronous from a login perspective but haven't got the chance to experiment with it yet.
@sledigabel yeah, it asked for 2FA, and it crashed.
So basically as a workaround when it couldn't find any credentials, it needs to be supplied from saml2aws login
right?
yeah I don't think the credential process is going to give you a lot of value here;
I'd revert to using saml2aws login
and write the credentials to the default location, at least for now.
Here's a snip of how we were using aws-okta:
How can I do this with saml2aws?