aws eks update-kubeconfig does not support external_id

[benderillo]

There is no way at the moment to specify external_id when calling aws eks update-kubeconfig.

It supports specifying role-arn for the case when the cluster was created with assumed role.
However, if the role has an extra condition like: StringEquals | sts:ExternalId | test_account there is no way to supply aws eks update-kubeconfig this info.

It seems that the problem is even wider, I do not see support fo external_id in aws-iam-authenticator token either.

Basically, here is the use case:
We use terraform with assumed role (that has external_id condition set) to bring up EKS cluster and worker nodes.

In order to finish the setup, we need to do kubectl apply of the ConfigMap with AWS Auth to let nodes join the cluster.
In order to do so, we first need to prepare .kubeconfig that will use the same role, that terraform assumed to create the cluster.

Unfortunately, there is no way to specify external_id there and attempts to execute kubectl apply fail with

could not get token: AccessDenied: Access denied
	status code: 403, request id: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx

To sum up, this issue is a feature request to add ability to specify external_id when providing role-arn to aws eks update-kubeconfig.

I am not sure how to go about highlighting the same problem to aws-iam-authenticator though.

[justnance]

@benderillo - Thank you for your post. For the CLI to support external_id in aws eks update-kubeconfig, this feature would have to be implemented in both the aws-iam-authenticator token and aws-iam-authenticator server before it can implemented in the CLI.

As to highlighting the same problem to aws-iam-authenticator, you can reach out to the GitHub repository for the authenticator.

Marked this issue as a feature request with a dependency but closing it because the authenticator does not support it at this time.

[benderillo]

@justnance What do I do to re-open the issue? It seems the authenticator has added support for external_id here: kubernetes-sigs/aws-iam-authenticator#228
It is in merged state at the moment.

[benderillo]

I am glad to see this re-open. Hopefully, we can get this implemented in some not so distant future, the future where the world will have become a bit better place because external-id is finally supported :)

[github-actions]

Greetings! It looks like this issue hasn’t been active in longer than one year. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.

[VishalAgarW]

Is this issue actually fixed, I still don't see option to pass external id?

[kahirokunn]

I need this feature.

[benderillo]

@justnance and @kdaily Is there a way to reopen this ticket if external id is still not supported?
Since authenticator supports this flag, perhaps nothing now precludes supporting it in aws eks?

To make it very clear, this request is to add a new optional parameter to aws eks update-kubeconfig like --external-id/-e that allows to pass external id.
Since authenticator now supports similar flag, I don't see why it can't be added to CLI.

/open
/reopen

[kahirokunn]

I am of the same opinion.

[tim-finnigan]

Reopening issue for further review

[kahirokunn]

I took the initiative to create a PR because I want to solve your problems.
#7879

[kahirokunn]

+1