Feature request: Role option with eksctl utils write-kubeconfig

[knorby]

Why do you want this feature?
aws-iam-authenticatorhas a role option on the token command that's used for authentication in the kubeconfigs produced, and it would be useful if eksctl utils write-kubeconfig would allow for a role to be used in the produced config. aws-iam-authenticator assumes the given role before grabbing a token, which has the benefit of eschewing individual user assignments in the aws-auth configmap (see #625). This would make the write-kubeconfig subcommand more useful and allow eksctl to support this approach to authentication.

What feature/behavior/change do you want?
A new option flag added to eksctl utils write-kubeconfig of a role arn to use for authentication, e.g. -R --role-arn <ROLE_ARN>. If included, the aws-iam-authenticator token calls in kubeconfigs should add -r <ROLE_ARN>.

[errordeveloper]

I think it'd be good to add this, for sure, thanks for posting the issue!
I don't know if you might have already discovered a work-around, I can think of two:

• use a credentials profile
• edit the output kubeconfig file

[knorby]

I was able to work around it, but yeah, just seemed like a nice feature. I use eksctl to setup kubeconfig as needed on developer machines, through another script, so I was thinking of using a role as kind of an IAM group management strategy; profiles would definitely work for that too, but that wasn't how I was approaching it.
The change looks pretty straightforward. If I get a chance soon, I'll try to take care of it myself.

[nikolai-derzhak-distillery]

Just for collection(feel like on stackoverflow). One more workaround:

aws --region $AWS_REGION eks update-kubeconfig --name  $CLUSTER_NAME --role-arn $AWS_ROLE 

"If I get a chance soon" If I get $1 every time I hear it , including from myself :)