Would be awesome to allow for more than one IAM group!

ygrene / iam-eks-user-mapper

29 stars 11 forks source link

Would be awesome to allow for more than one IAM group! #1

Open zacharysells opened 5 years ago

zacharysells commented 5 years ago

Firstly thank you for making this! It's extremely useful given the current limitations of the EKS auth mechanism.

In my environment, we have multiple EKS clusters. The devops team requires access to all clusters, while developers themselves only require access to a subset of the clusters. It would be awesome if the docker image could be expanded to enumerate more than one IAM group and compile a list of users to put in the mapUsers: section. That would allow us to have one 'global' admin group and one group per cluster.

zparnold commented 5 years ago

@zacharysells I totally did not see this! But yes, we could do something like that. That may require some storage mechanism. I partially walked away from this because it served our purpose but I think this is worth doing anyway for the benefit of the community. Do you use multiple AWS Accounts? Or just multiple clusters in one account?

zparnold commented 5 years ago

@zacharysells PR is up (and already deployed at Ygrene,) let me know what you think

zacharysells commented 5 years ago

Thanks @zparnold changes look great - nice and versatile :D To answer your question, in our use-case we have multiple clusters as well as multiple accounts.

zparnold commented 5 years ago

@zacharysells FWIF this fix doesn't account for allowing cross-account access.

And it's worth mentioning that because AWS IAM is region-less (meaning the service isn't bound to an AWS region) any cluster in any region that you deploy this in will allow that full group access to the cluster.

For example let's say I have IAM group A and clusters in us-west-2 and us-east-1. If I have the setup --role-mappings=A:cluster-admin for the user-mapper deployed in both clusters, all of "A"'s users will get access to both clusters with the cluster-admin role. Not sure if that might have an impact on you in your setup.

austbot commented 5 years ago

@zparnold great work!

ldoming commented 4 years ago

@zparnold Thanks, mate.

colepacak commented 3 years ago

This feature would be super helpful. Any idea of when it will be merged?

zparnold commented 3 years ago

I unfortunately no longer work for this company so you’ll need to find someone who does or fork it yourself :( sorry!

Take care, Zach

On Dec 17, 2020, at 10:12 AM, Cole Pacak notifications@github.com wrote:

This feature would be super helpful. Any idea of when it will be merged?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.