Rework nodegroup IAM fields for v1alpha4 #468
Conversation
|
This is mostly ready but I need to make sure we can get instance role ARN back once we are given the profile ARN, or we might just require both to be set. The role ARN is required for nodegroup auth config map (unless there is a way to pass profile ARN of instead role ARN - should check docs). |
errordeveloper
force-pushed
the
iam-fields
branch
from
c74dfb6
to
f3cd290
Compare
|
@christopherhein do you happen to know if authenticator requires strictly instance role ARNs, or it could work with instance profile ARNs? |
IIRC it will require the role ARN cause Instance Profile ARNs don't have support for assume role or for the Could use this request to get the proper role - https://docs.aws.amazon.com/cli/latest/reference/iam/get-instance-profile.html |
|
Thanks, Chris! Sounds like we can make that call, but if user sets profile and role ARNs, they can save themselves from that call if they absolutely must :) |
errordeveloper
force-pushed
the
iam-fields
branch
2 times, most recently
from
00a2576
to
5f49a01
Compare
errordeveloper
force-pushed
the
iam-fields
branch
from
5f49a01
to
0db62f4
Compare
errordeveloper
changed the title
|
@knorby if you'd like to take a look, this is functionally completion, just needs some tests; I'm gonna add the docs in a separate PR, as there are quite a few API changes coming with v1alpha4. |
errordeveloper
force-pushed
the
iam-fields
branch
from
0db62f4
to
974d065
Compare
- add instance profile ARN field - use profile and role ARNs when both are set, or fetch instance role based on profile, otherwise create profile or create both
errordeveloper
force-pushed
the
iam-fields
branch
from
974d065
to
8a44ed0
Compare
There was a problem hiding this comment.
LGTM @errordeveloper 👍
I can't seem to see why that test is failing…
|
@errordeveloper Thanks for getting this out so quick! So, I ran a couple tests, and I was able to get working results when I set both the role and instance profile ARN (I haven't tested with just the profile, which looks like would have its own distinct behavior). With the role only, I get this error: I assume the bad characters are coming from the full ARN string. I ended up just using the autogenerated Instance Profile, which is what I assume a lot of people would do. Speaking personally, I don't really know all the nuances of roles over profiles and I can't imagine doing anything else, so I'd vote for just pulling the profile from the role. |
|
@knorby thanks for testing and sharing your thoughts!
Yes, if you set just the profile, you can save yourself from taking care of an additional identifier. But some user might want to set both as they don't have access to IAM APIs and are given identifier of IAM resources that are managed by others in their org.
Seems like. We don't validate ARNs just yet, as you get an error from CloudFormation fairly quickly. Also, we do need to make parameter validation more high-level than it currently is.
Yes, that's really the safest choice, and it means you don't have to take worry about what the role is, and you can enable autoscaler, ECR access and Route53 very easily. May I ask what was the motivation to set custom role in the first place?
As I mentioned above, some users cannot make any IAM calls, so we need to provide a way for them to pass both ARNs... |
@christopherhein it was a flaky one; I opened #481. |
Sorry, I may not have been clear. I meant the instance profile associated with the existing role, whatever AWS just gives you. I'm using kube2iam with purpose-specific roles for each of the policies you mentioned, for a variety of reasons. Trust relationships were the snag I was hitting. |
Description
Fixes #464.
Checklist
make build)make test)