Map IAM users to kubernetes groups

[daroga0002]

I have issues

I'm submitting a...

• bug report
• feature request
• support request - read the FAQ first!
• kudos, thank you, warm fuzzy

What is the current behavior?

Currently we map just particular AWS users to aws_auth configmap what is not the best as in many organization we want rather manage permissions via groups mapped to roles.

Currently I am defining on input AWS groups which are translated to users and then creating a users in aws-auth.

On input I require list of groups which users I want to add to EKS, then map user > kubernetes group (group creation is out of scope of this code). As we need some admin group if this is missing in input I am assuming that first group from group list will be additionally in system:masters group (to avoid situation when nobody will have this group assigned)

........
    - "groups":
      - "platform-group"
      - "system:masters"
      "userarn": "arn:aws:iam::*******:user/daniel.black@example.com"
      "username": "daniel.black@example.com"
........

If this is a bug, how to reproduce? Please include a code sample if relevant.

N/A

What's the expected behavior?

Are you able to fix this problem and submit a PR? Link here if you have already.

Yes, but I want to discuss approach.

I have currently some dirty code:
https://github.com/daroga0002/terraform-aws-eks/blob/a6ef95fb2674f2c58e804b536fddc195a648c834/examples/iam_user_groups/main.tf#L162-L185

but probably better it will be fitting as submodule (off course it require some code cleanup, simplicity and etc.)

But do you think submodule can be good path?

@barryib

Environment details

• Affected module version: n/a
• OS: n/a
• Terraform version: n/a

Any other relevant info

I think this is highly desired feature

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[daroga0002]

ping

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[damdo]

@barryib Am I correct in thinking that to achieve this we would need support for it on EKS first, and just later on the module?

[barryib]

@daroga0002 @damdo Sorry, but I don't understand very well what you want do. Do you want to map IAM role to Kubernetes groups ?

I don't have access to your code snippet.

[daroga0002]

Currently there is no such feature on EKS to map AWS IAM group into EKS group, as aws-auth config map looks like here:

apiVersion: v1
data:
  mapRoles: |
    - rolearn: <arn:aws:iam::111122223333:role/eksctl-my-cluster-nodegroup-standard-wo-NodeInstanceRole-1WP3NUE3O6UCF>
      username: <system:node:{{EC2PrivateDNSName}}>
      groups:
        - <system:bootstrappers>
        - <system:nodes>
  mapUsers: |
    - userarn: <arn:aws:iam::111122223333:user/admin>
      username: <admin>
      groups:
        - <system:masters>
    - userarn: <arn:aws:iam::111122223333:user/ops-user>
      username: <ops-user>
      groups:
        - <system:masters>

So we in mapUsers we must map a AWS IAM user to username and group on EKS.

Currently I am doing this on my environment:

locals {
  # Create map with username as key and values fetched from data.aws_iam_group data source
  users = {
    for k, v in distinct(flatten(data.aws_iam_group.eks_aws_groups[*].users)) : v.user_name => v
  }
  # Create map with key username and values containing all groups which user belongs
  group_membership = transpose({
    for index, b in var.eks_aws_groups : b => data.aws_iam_group.eks_aws_groups[index].users[*].user_name
  })
  # Create map similar to https://github.com/terraform-aws-modules/terraform-aws-eks/blob/81ded922c811ca4b1f1ca299d083b367698e7c69/examples/basic/variables.tf#L40-L51
  eks_users_mapping = values({
    for k, v in local.group_membership : k => {
      userarn  = lookup(local.users, k, "empty").arn
      username = k
      groups   = contains(v, (contains(var.eks_aws_groups, var.eks_aws_root_group) ? var.eks_aws_root_group : var.eks_aws_groups[0])) ? concat(v, ["system:masters"]) : v
    }
  })
}

where local variable is passed to module:

module "eks_cluster" {
  create_eks = var.eks_create
  source          = "terraform-aws-modules/eks/aws"
  version         = "13.2.1"
  cluster_name    = "eks-${var.environment}"
  subnets         = module.vpc.private_subnets
  vpc_id          = module.vpc.vpc_id
  manage_aws_auth = true
  enable_irsa                          = true
.................................
  map_users                            = local.eks_users_mapping
}

[barryib]

@daroga0002 Thanks for your explanation. I understood. I never used IAM users/groups pour human access management (I use Active Directory or okta to manage them), that’s why it took me some time to understand.

BTW, I think the real solution should come from AWS itself (as @damdo mentioned it). There are already issues tracking this feature. Please see:

• Can I not add an IAM group to my ConfigMap? kubernetes-sigs/aws-iam-authenticator#176
• [EKS] [request]: MapGroups in ConfigMap aws/containers-roadmap#150

I the meantime, you have 2 options:

1. Use IAM users as you described or
2. Use IAM Roles: Allow your IAM groups to assumes IAM roles, then map those IAM roles in aws-auth. With this, you don't need to re-apply this module anytime someone comes or leaves your team/company. I think this the best way to solve your problem right now.

As for introducing IAM users mapping from IAM groups in this module, I think it's beyond the scope of this module because we don't want to give an opinionated way to how to manage users. I fear that it'll become a source of problem later, as it won't suit everyone. We can probably add this in a FAQ, to let them know how to handle this by their own if they really need it.

[daroga0002]

sure, thanks for input.

Closing issue

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.