[EKS] [request]: Ability to assign access to different EKS clusters, in one AWS account, for different SSO users with same assumed role

[Magnat050688]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
I need ability to assign different SSO users, which have same assumed role in specific AWS account, to different EKS clusters (over Kubernetes RBAC).

Which service(s) is this request for?
EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
What outcome are you trying to achieve, ultimately, and why is it hard/impossible to do right now? What is the impact of not having this problem solved? The more details you can provide, the better we'll be able to understand and solve the problem.

I need the ability to configure more granular access to EKS clusters resources, for SSO users. Right now, to restrict access in EKS cluster, we need create many assumed roles for each user or group of users. As stated in a post on this blog, we can take assumed role ARN, for example arn:aws:sts::111222333444:assumed-role/AWSReservedSSO_EKSClusterAdminAccess_4ffa4321e413c0b0/eksadmin, and modify it to IAM Role ARN, like this - arn:aws:iam::111222333444:role/AWSReservedSSO_EKSClusterAdminAccess_4ffa4321e413c0b0
For example:
user1 and user2 SSO users have assumed role EKSClusterAdminAccess to AWS account with id 111222333444, and we need give access for user1 to EKS cluster EKS1 and access for user2 to EKS cluster EKS2. We must specify same rolearn string in mapRoles section of aws-auth ConfigMap, in both EKS clusters. In this situation user1 will have access to clusters EKS1 and EKS2, and user2 have access in same clusters too. An alternative solution could be to assign different assumed roles for different users or group of users in one AWS account, but it would be great to have another approach.

Are you currently working around this issue?
Now our team have decided to use an alternative option, with one assumed role per a group of users

Additional context

Attachments

[joshuaganger]

I was directed to this thread by AWS support after asking a similar question.

This would also be useful for assigning different access within a single cluster based on the user ID portion of the assumed-role ARN. Right now we can use only the role ARN in the aws-auth configmap. So if I have a role with ARN: arn:aws:iam::111222333444:role/AWSReservedSSO_eks_developers_4ffa4321e413c0b0 that can be assumed by either user1 or user2 I can't assign different k8s permissions based on the assumed-role ARN like: arn:aws:sts::111222333444:assumed-role/AWSReservedSSO_eks_developers_4ffa4321e413c0b0/user1

What this seems to mean practically is that I'll need multiple SSO roles to provide granular access to different users at whatever level we choose to segment it, eg. namespace.