Open jbarop opened 3 years ago
with the Kubernetes provider, as well as Helm and kubectl providers, the exec()
method of authentication is preferred over the static token using the describe-addon-versions
data source. With the exec()
method you are able to use an assumed role for authenticating to the cluster
@bryantbiggs What is the reason exec()
is preferred? I think it is much cleaner to let the provider deal with it through aws_eks_cluster_auth
instead of shelling out to awscli, which means I also need to have a fully working and authenticated awscli environment available where I do my CI.
Also from whats written in the current docs[1], it seems like the token is pretty much the same short-lived token as you would get from using exec()
.
[1] https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth
Yeah, I agree with @benben... The exec
method feels kinda scummy, shelling out and requiring another binary, which in this case, the shell environment also needs to be setup to authenticate to aws. Much nicer to have options fully contained by the Terraform provider binaries.
Much nicer to have options fully contained by the Terraform provider binaries.
I would suggest opening an issue on the respective provider to improve that process - its not related to the AWS provider though
Community Note
Description
When an EKS cluster is created, only the IAM user who created cluster has access to it. To grant access to other users, there are 2 possibilities. Adding the individual users to the
aws-auth
-ConfigMap or the user needs to assume a role just before generating a token.The later is currently not possible with
aws_eks_cluster_auth
because a role cannot be specified. Using the token without assuming the role will result in anUnauthorized
error.New or Affected Resource(s)
Potential Terraform Configuration
Workaround:
I found a workaround by using a second aws provider configuration. But I think it would be nice if
aws_eks_cluster_auth
could do this directly. Especially becauseaws-iam-authenticator
already offers the option.References
0000