Closed maiconrocha closed 3 months ago
Hi @maiconrocha - thanks for reaching out.
As mentioned internally P34947944, any changes to the API will have to be requested to the service team and we track service team requests in our cross-SDK repo which I'm going to transfer this to.
I'll follow up on the service team ticket and post here once there's an update.
Thanks
Since this was opened by an internal member, addressed in internal ticket and related to service API rather than SDK, I'm going to close this.
Please reach out to me if there's any questions!
This issue is now closed.
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.
Describe the feature
Currently, aws eks get-token API does not allow the option for federated users to forward-session-name to map the original caller-specified-role-name attribute onto the new STS assumed session. This can be helpful for quickly attempting to associate "who performed action X on the K8 cluster".
EKSGetTokenAuth is the default value being set on the RoleSessionName https://github.com/aws/aws-cli/blob/08a7df3ff308fa824ba054ac4b0c335909a6d806/awscli/customizations/eks/get_token.py#L131C30-L131C45
And customers would like to see the user identity value on the RoleSessionName instead.
AWS IAM Authenticator provides this option with the flag --forward-session-name..
Customers would like to see aws cli being the defacto standard, without having to rely on AWS IAM Authenticator to provide this feature.
Use Case
I am working with a customer who is using SAML federated user and would like to have eks get-token api to forward the user identity of the identity provider on the RoleSessionName.
Proposed Solution
Implement the same functionality that AWS IAM Authenticator provides when using the flag --forward-session-name to will map the original caller-specified-role-name attribute onto the new STS assumed session.
Other Information
Customer have followed best practice https://aws.github.io/aws-eks-best-practices/security/docs/iam/#use-iam-roles-when-multiple-users-need-identical-access-to-the-cluster to include {{SessionName}}. And this is where we would like to see the actual userid.
Acknowledgements
CLI version used
1.29.62
Environment details (OS name and version, etc.)
macOS ventura 13.6