eksctl get iamidentitymapping does not obey assume role in kube config

[nikolai-derzhak-distillery]

I noticed that eksctl get iamidentitymapping does not work with assume-role in kube config (generated by aws --region $AWS_REGION eks update-kubeconfig --name $CLUSTER_NAME --role-arn $AWS_ROLE ) :

$ eksctl get iamidentitymapping --name=$CLUSTER_NAME
[✖]  getting auth ConfigMap: Unauthorized

while eksctl get nodegroup --cluster $CLUSTER_NAMEworks fine.

Also I can just edit aws-auth yaml like this:

kubectl edit -n kube-system configmap/aws-auth

Guess related to this feature request : #749

eksctl version
[ℹ] version.Info{BuiltAt:"", GitCommit:"", GitTag:"0.1.37"}

[cPu1]

@nikolai-derzhak-distillery aws eks update-kubeconfig --role-arn adds the role flag (--role) to the aws-iam-authenticator client (or to aws eks get-token if using the latest AWS CLI) in the exec config. However, supplying a role ARN for aws-iam-authenticator to use is not supported in eksctl for any of the commands.
So in both of your commands, credentials from your default AWS profile (or ENV vars) are being used.

The reason eksctl get iamidentitymapping is failing might be because the role ARN for your credentials is not present in the aws-auth ConfigMap, which maps AWS IAM roles/users to Kubernetes groups.
eksctl get nodegroup, OTOH, works because it doesn't use the Kubernetes API but rather the AWS API for accessing the CloudFormation stacks.

[mykhailoponomarov]

Hi, I'm observing the same behavior, we assume admin role from our AWS profiles so eksctl throws Unauthorized error. Would appreciate support of roles assumption!

[danbeaulieu]

Also see this issue using eksctl 0.31.0.

We have 2 roles: 1 that can describe-cluster and other "AWS" level APIs. Another role that is used for in cluster operations, such as modifying a configmap. This second role is added to the aws-auth config map to allow these operations.

for instance in the same shell aws eks describe-cluster --name foo and kubectl edit -n kube-system configmap/aws-auth work.

using eks create iamidentitymapping does not appear to use the configured KUBECONFIG file but instead use the current IAM role for both AWS level APIs AND cluster level operations and in our case this means the cluster level operations fail and the configmap can not be updated.

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[michaelbeaumont]

Related #2745 #1356 (comment)

[github-actions]

This issue was closed because it has been stalled for 5 days with no activity.

[zafai]

We face the same problem that @danbeaulieu describes
Are there any plans to implement this?

[RamazanKara]

We also face the same problem.

[RamazanKara]

For those who still face this issue: check if your Users / roles have additional ARN Paths in the role / User ARN. EG: accountxyARN:/testpath/role. We had to remove these paths in the AWSAUTH configmap to get it working

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[github-actions]

This issue was closed because it has been stalled for 5 days with no activity.