-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Map IAM users to kubernetes groups #1112
Comments
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
ping |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
@barryib Am I correct in thinking that to achieve this we would need support for it on EKS first, and just later on the module? |
@daroga0002 @damdo Sorry, but I don't understand very well what you want do. Do you want to map IAM role to Kubernetes groups ? I don't have access to your code snippet. |
Currently there is no such feature on EKS to map AWS IAM group into EKS group, as aws-auth config map looks like here:
So we in Currently I am doing this on my environment:
where local variable is passed to module:
|
@daroga0002 Thanks for your explanation. I understood. I never used IAM users/groups pour human access management (I use Active Directory or okta to manage them), that’s why it took me some time to understand. BTW, I think the real solution should come from AWS itself (as @damdo mentioned it). There are already issues tracking this feature. Please see:
I the meantime, you have 2 options:
As for introducing IAM users mapping from IAM groups in this module, I think it's beyond the scope of this module because we don't want to give an opinionated way to how to manage users. I fear that it'll become a source of problem later, as it won't suit everyone. We can probably add this in a FAQ, to let them know how to handle this by their own if they really need it. |
sure, thanks for input. Closing issue |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
I have issues
I'm submitting a...
What is the current behavior?
Currently we map just particular AWS users to aws_auth configmap what is not the best as in many organization we want rather manage permissions via groups mapped to roles.
Currently I am defining on input AWS groups which are translated to users and then creating a users in aws-auth.
On input I require list of groups which users I want to add to EKS, then map user > kubernetes group (group creation is out of scope of this code). As we need some admin group if this is missing in input I am assuming that first group from group list will be additionally in
system:masters
group (to avoid situation when nobody will have this group assigned)If this is a bug, how to reproduce? Please include a code sample if relevant.
N/A
What's the expected behavior?
Are you able to fix this problem and submit a PR? Link here if you have already.
Yes, but I want to discuss approach.
I have currently some dirty code:
https://github.com/daroga0002/terraform-aws-eks/blob/a6ef95fb2674f2c58e804b536fddc195a648c834/examples/iam_user_groups/main.tf#L162-L185
but probably better it will be fitting as submodule (off course it require some code cleanup, simplicity and etc.)
But do you think submodule can be good path?
@barryib
Environment details
Any other relevant info
I think this is highly desired feature
The text was updated successfully, but these errors were encountered: