search

aws / aws-sdk

Landing page for the AWS SDKs on GitHub
https://aws.amazon.com/tools/
Other
68 stars 12 forks source link

Implement --forward-session-name feature that iam authenticator has to the eks get token api #619

Closed maiconrocha closed 3 months ago

maiconrocha commented 8 months ago

Describe the feature

Currently, aws eks get-token API does not allow the option for federated users to forward-session-name to map the original caller-specified-role-name attribute onto the new STS assumed session. This can be helpful for quickly attempting to associate "who performed action X on the K8 cluster".

EKSGetTokenAuth is the default value being set on the RoleSessionName https://github.com/aws/aws-cli/blob/08a7df3ff308fa824ba054ac4b0c335909a6d806/awscli/customizations/eks/get_token.py#L131C30-L131C45

And customers would like to see the user identity value on the RoleSessionName instead.

AWS IAM Authenticator provides this option with the flag --forward-session-name..

Customers would like to see aws cli being the defacto standard, without having to rely on AWS IAM Authenticator to provide this feature.

Use Case

I am working with a customer who is using SAML federated user and would like to have eks get-token api to forward the user identity of the identity provider on the RoleSessionName.

Proposed Solution

Implement the same functionality that AWS IAM Authenticator provides when using the flag --forward-session-name to will map the original caller-specified-role-name attribute onto the new STS assumed session.

Other Information

Customer have followed best practice https://aws.github.io/aws-eks-best-practices/security/docs/iam/#use-iam-roles-when-multiple-users-need-identical-access-to-the-cluster to include {{SessionName}}. And this is where we would like to see the actual userid.

Acknowledgements

CLI version used

1.29.62

Environment details (OS name and version, etc.)

macOS ventura 13.6

aBurmeseDev commented 8 months ago

Hi @maiconrocha - thanks for reaching out.

As mentioned internally P34947944, any changes to the API will have to be requested to the service team and we track service team requests in our cross-SDK repo which I'm going to transfer this to.

I'll follow up on the service team ticket and post here once there's an update.

Thanks

aBurmeseDev commented 3 months ago

Since this was opened by an internal member, addressed in internal ticket and related to service API rather than SDK, I'm going to close this.

Please reach out to me if there's any questions!

github-actions[bot] commented 3 months ago

This issue is now closed.

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.