Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EKS [request]: Allow better automation of creation of access entries for SSO users #2336

Closed
smarshie opened this issue Apr 23, 2024 · 1 comment
Closed

EKS [request]: Allow better automation of creation of access entries for SSO users #2336

smarshie opened this issue Apr 23, 2024 · 1 comment
Labels
Duplicate / Merged Duplicate issue EKS Amazon Elastic Kubernetes Service

Comments

@smarshie
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
I'd like the access entry creation mechanism for EKS clusters to allow automation of entries for SSO-federated users where the applied permission set name is known but the resultant role in the account has an unpredictable ARN.

Which service(s) is this request for?
EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
The recent change to EKS to allow access entries via the console/API seems to be flawed in the sense that there is no clear mechanism to grant access to users who are authenticated with SSO via IAM Identity Center. In particular it seems that automation of access entry-creation has not been properly considered in the solution. Roles that are created when permission sets are applied to accounts are not predictably named, so it is not obvious what principal to grant access to when automating with tools such as Cloud Formation and Terraform. ARNs of SSO roles have to be looked up manually and added manually via the console or API.

When allowing such users to assume roles in general, one has to use trust policies with an ArnLike condition and a wildcard entry to account for the unpredictable naming of roles, but principal ARNs for access entries have to be single ARNs with no wildcards. The chosen approach seems intensely limiting and poorly thought-through.

Are you currently working around this issue?
Create additional roles which users who have already assumed federated roles need to assume in order to gain visibility to cluster resources via the console. This also means including inline policies added to permission sets allowing these users to assume roles in the first place.
@smarshie smarshie added the Proposed Community submitted issue label Apr 23, 2024
@mikestef9
Copy link
Contributor

Hi @smarshie see the end of my comment on the original access entry issue #185 (comment)

I'm going to close this as a duplicate given #474 is tracking the improvements for AWS Identity Center. I also renamed that issue to make it more clear.

@mikestef9 mikestef9 added EKS Amazon Elastic Kubernetes Service Duplicate / Merged Duplicate issue and removed Proposed Community submitted issue labels Apr 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Duplicate / Merged Duplicate issue EKS Amazon Elastic Kubernetes Service
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mikestef9 @smarshie