K8s integration with IAM Role

[AmitBaranes]

When running aws eks update-kubeconfig with --role-arn new entry created under .kube/config. which contains the following:

- name: arn:aws:eks:eu-west-1:123456789:cluster/xxx
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --region
      - eu-west-1
      - eks
      - get-token
      - --cluster-name
      - yyy
      - --role
      - arn:aws:iam::123456789:role/admin
      command: aws

Any kubectl command or IDE for k8s failed to run due to the fact that alias aws="aws-mfa-secure session" contains a space, this caused the kubeconfig to fail the command.

My questions are -

1. Do you have any workaround?
2. Can you add another command to skip the session usage? ( e.g aws-mfa-secure without the session )

[ShaharHD]

Possible workaround can be:

- name: arn:aws:eks:eu-west-1:123456789:cluster/xxx
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - session
      - --region
      - eu-west-1
      - eks
      - get-token
      - --cluster-name
      - yyy
      - --role
      - arn:aws:iam::123456789:role/admin
      command: aws-mfa-secure

as the alias is blocking somehow the passing of the additional needed arguments

[AmitBaranes]

this will require everyone that using EKS + aws-mfa-secure to update the kube/config manually. I'd like to avoid it and use the aws command.

[ShaharHD]

@tongueroo maybe a simple workaround from the aws-mfa-secure side would be to add "busybox style" linked scripts which uses the filename as the command (and will act as the alias)

for example: aws-mfa-secure-session will be translated into aws-mfa-secure session command.

[AmitBaranes]

@tongueroo any estimation here?

[tongueroo]

No estimate. Will consider and review PRs. No sweat either way of course 👍