FIREBREAK: Accessing EKS clusters with SSO

[poornima-krishnasamy]

Background

EKS aws-auth has the provision to add SSO Administrator role. Can Cloud Platform utlilize this provision and get rid of of individual IAM users added in the cluster config https://github.com/ministryofjustice/cloud-platform-infrastructure/blob/main/terraform/aws-accounts/cloud-platform-aws/vpc/eks/cluster.tf#L195-L268

Guide on configuring SSO with admin role: https://aws.amazon.com/blogs/containers/a-quick-path-to-amazon-eks-single-sign-on-using-aws-sso/

If we can perform terraform and aws cli operations using the SSO, we would benefit from using short-lived creds and can get rid of our IAM users altogether. This will also avoid storing the long-term creds locally to perform these operations.

Questions / Assumptions

Definition of done

• [ ] Firebreak finding documented appropriately
• [ ] Demo completed
• [ ] Decision made on whether to progress Firebreak work
• [ ] Does next steps require User Research?
• [ ] Firebreak next step Issues created
• [ ] New Issues referenced in this story before closure

[kyphutruong]

Configuring aws cli config profile to use SSO

AWS docs states there are two ways to authenticate users with IAM Identity Center to get credentials to run AWS CLI commands through the config file:

• SSO token provider configuration (recommended) – Extended session durations.

• Legacy non-refreshable configuration – Uses a fixed, eight-hour session.

In both configurations, you need to sign in again when your session expires.

When running terraform using the recommended config, the following error occurs:

➜  vpc git:(main) ✗ terraform init
Initializing modules...
Downloading git::https://github.com/ministryofjustice/cloud-platform-terraform-route53-logs.git?ref=1.0.4 for route53_query_log...
- route53_query_log in .terraform/modules/route53_query_log
Downloading registry.terraform.io/terraform-aws-modules/s3-bucket/aws 3.15.1 for route53_query_log.s3_bucket_query_log...
- route53_query_log.s3_bucket_query_log in .terraform/modules/route53_query_log.s3_bucket_query_log

Initializing the backend...
╷
│ Error: error configuring S3 Backend: Error creating AWS session: profile "moj-cp" is configured to use SSO but is missing required configuration: sso_region, sso_start_url

The platform is still built on terraform v1.25, and this version doesn't support the recommended config. We have to use legacy config for now.

We can start to use the up to date recommended config when we start to use terraform 1.6.0 - issue discussed in community thread

[kyphutruong]

Working branch