search

aws / aws-cli

Universal Command Line Interface for Amazon Web Services
Other
15.59k stars 4.14k forks source link

Support a custom Session Name for `aws eks get-token` command #8976

Open murshed-panorama opened 1 month ago

murshed-panorama commented 1 month ago

Describe the feature

Add an option --role-session-name to be used in conjunction with the --role-arn flag for the aws eks get-token command.

This flag would override the currently hard-coded role session name of EKSGetTokenAuth if provided.

Use Case

Currently our organization uses the open source Leapp app to manage our role chaining and sessions. We are able to configure named sessions when authenticating to our EKS cluster, which allows us to identify authenticated users in the cluster for auditing and monitoring purposes.

Leapp's parent company has shut down and on top of that, we are exploring a new development platform where the Leapp desktop app is not supported.

One simple fix to this specific problem is supporting a custom role session name for the aws eks get-token, which is used in the ~/.kube/config file that is generated by aws eks update-kubeconfig command.

A snippet of the ~/.kube/config file might look like this below. Note fields marked with XXXXXXXXXXX are redacted.

apiVersion: v1
kind: Config
clusters:
- cluster:
    certificate-authority-data: XXXXXXXXXXX
    server: https://XXXXXXXXXXX.gr7.us-east-1.eks.amazonaws.com:443
  name: arn:aws:eks:us-east-1:123456789012:cluster/production
contexts:
- context:
    cluster: arn:aws:eks:us-east-1:123456789012:cluster/production
    user: prod-access
  name: prod-admin
users:
- name: prod-access
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - --region
      - us-east-1
      - eks
      - get-token
      - --cluster-name
      - staging
      - --output
      - json
      - --role-arn
      - arn:aws:iam::123456789012:role/eks-admin
      - --role-session-name
      - eks-admin-my-name-here@company.com
      command: aws

Currently, without being able specify a role session name for aws eks get-token, the identity information looks like this.

$ kubectl auth whoami
ATTRIBUTE                                              VALUE
Username                                               company-editor
UID                                                    aws-iam-authenticator:123456789012:XXXXXXXXXXX
Groups                                                 [company-editors system:authenticated]
Extra: accessKeyId                                     [XXXXXXXXXX]
Extra: arn                                             [arn:aws:sts::123456789012:assumed-role/company-dev-writer/EKSGetTokenAuth]
Extra: canonicalArn                                    [arn:aws:iam::851928862626:role/company-dev-writer]
Extra: principalId                                     [XXXXXXXXXX]
Extra: sessionName                                     [EKSGetTokenAuth]
Extra: sigs.k8s.io/aws-iam-authenticator/principalId   [XXXXXXXXXX]

Note the Extra field sessionName is set to EKSGetTokenAuth.

Proposed Solution

Update the STSClientFactory class method _get_role_credentials to add support for a role_session_name parameter. If provided, it would override the default of EKSGetTokenAuth.

Add role-session-name to the ARG_TABLE for this command.

As far as the python code changes, they seem fairly small and straight forward, but I'm not familiar with the testing suite and so I am requesting this feature in the event that an existing maintainer can implement it (with tests) faster than I can.

Other Information

No response

Acknowledgements

CLI version used

aws-cli/2.18.0 Python/3.12.6 Linux/6.5.0-1025-azure exe/x86_64.ubuntu.20

Environment details (OS name and version, etc.)

GitHub Codespace (Linux codespaces-9d6cfb 6.5.0-1025-azure #26~22.04.1-Ubuntu SMP Thu Jul 11 22:33:04 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux)

tim-finnigan commented 1 month ago

Thanks for the feature request. There is an internal EKS team maintaining this customization, so I will forward this feature request to them for review. We cannot provide any guarantees regarding if or when this might be considered, but others can continue to 👍 this issue to upvote it, or share more details on use cases here in the comments.

murshed-panorama commented 1 month ago

I've started a draft PR for this issue here:

https://github.com/aws/aws-cli/pull/8994

l-rossetti commented 1 week ago

Hello there, we are interested in this feature as well to identify authenticated users in the cluster for auditing and monitoring purposes.

Do you know about any alternative method to pass the SessionName when authenticating through the kubeconfig?