AWS native EKS Auth using 'Kubernetes Service Connection'

[lachlanbb]

Could we have a 'Kubernetes Service Connection' that supports rotating EKS tokens as they expire.

Given there is a considerable number of plugins that support 'Kubernetes Service Connection' it would be better if you could make a provider for the 'Kubernetes Service Connection' that can use a role from an AWS 'Service Connection' provider to regenerate the token after it expires.

The process for doing this is running aws eks get-token --name $CLUSTER_NAME when assumed as a role that has been directly bound to a system role within Kubernetes.

I currently use the AWS CLI shell plugin to generate this token and pass it to the native helm release / other plugins via environment... We use the AWS Service Connection extensively and VSTS can now use a 'Kubernetes Service Connection' directly for many plugins and features.

It's also worth mentioning all our VSTS agents run EKS and use IAM roles via Kube2IAM

[BillyBlomkins]

This feature would be super handy.

[lachlanbb]

This is possible using the 'Kubernetes Service Connection' type and when running vsts agents on Kubernetes or an AWS instance.

1) Generate a kubeconfig from "aws eks update-kubeconfig --cluster-name k8s-ssp --role-arn AdminKubernetes

2) Provide VSTS agent container / instance with an appropriate IAM role using either kube2iam or Roles for Service accounts

3) Release job needs to use a plugin that supports connectionType: 'Kubernetes Service Connection'

IAM role { "Version": "2012-10-17", "Statement": [ { "Sid": "DescribeClusters", "Effect": "Allow", "Action": [ "eks:ListTagsForResource", "eks:DescribeUpdate", "eks:ListUpdates", "eks:DescribeCluster" ], "Resource": "arn:aws:eks:ap-southeast-2:{ACCOUNT_ID}:cluster/k8s-ssp" }, { "Sid": "ListClusters", "Effect": "Allow", "Action": "eks:ListClusters", "Resource": "*" }, { "Sid": "AssumeKubernetesAdminRole", "Effect": "Allow", "Action": [ "iam:AssumeRole" ], "Resource": "arn:aws:iam::{ACCOUNT_ID}:role/AdminKubernetes" } ] }