Add command to manipulate IAM identity mappings

[rndstr]

Description

Adds the following commands to get/create/delete IAM role mappings to
Kubernetes username and groups.

eksctl get iamidentitymapping [--role arn]
eksctl create iamidentitymapping --role <arn> [--username=USER] --group=GROUP0 [--group=GROUP1]
eksctl delete iamidentitymapping --role <arn> [--all]

eksctl get iamidentitymapping
Returns all mappings; if role filter is given it returns all matching
roles (can be more than one).

eksctl create iamidentitymapping
Allows creating duplicates. Will warn if duplicates exist.

eksctl delete iamidentitymapping
Deletes a single mapping FIFO unless --all is given in which case it
removes all matching. Will warn if more mappings matching this role are
found.

Closes #625
Some remarks about implementation at #625 (comment)

Checklist

• Code compiles correctly (i.e make build)
• Added tests that cover your change (if possible)
• All unit tests passing (i.e. make test)
• All integration tests passing (i.e. make integration-test)
• Added/modified documentation as required (such as the README.md, and examples directory)

Example of interaction

$ eksctl get iamidentitymapping --cluster=roli-dev                                                                                      
ROLE                                                                                     USERNAME                                GROUPS                                       
arn:aws:iam::376248598259:role/eksctl-roli-dev-nodegroup-ng1-pub-NodeInstanceRole-5SO5IE system:node:{{EC2PrivateDNSName}}       system:bootstrappers,system:nodes            
arn:aws:iam::376248598259:role/eksctl-roli-dev-nodegroup-ng2-pub-NodeInstanceRole-4SVDI  system:node:{{EC2PrivateDNSName}}       system:bootstrappers,system:nodes            
arntest                                                                                  roli                                    foo1,bar2                                    
foo                                                                                                                              bar                                          
foo                                                                                                                              bar


$ eksctl delete iamidentitymapping --cluster=roli-dev --role foo
[ℹ]  removing role "foo" from auth ConfigMap (username = "", groups = ["bar"])
[!]  there are 1 mappings left with same role "foo" (use --all to delete them at once)

$ eksctl create iamidentitymapping --cluster=roli-dev --role foo --group=moo                                                            
[!]  found 1 mappings with same role "foo" (which will be shadowed by your new mapping)
[ℹ]  adding role "foo" to auth ConfigMap

$ eksctl get iamidentitymapping --cluster=roli-dev --role foo                                                                           
ROLE    USERNAME        GROUPS
foo                     bar
foo                     moo

$ eksctl delete iamidentitymapping --cluster=roli-dev --role foo --all                                                                  
[ℹ]  removing role "foo" from auth ConfigMap (username = "", groups = ["bar"])
[ℹ]  removing role "foo" from auth ConfigMap (username = "", groups = ["moo"])

[martina-if]

Looks good to me! Would it be possible to add some tests?

[whereisaaron]

@rndstr thanks for your work. This will be very useful.

Does this, or how is it suggested to use the commands for the following use cases. I am guessing some loops/tests based on exit codes. Is that the intention?

1. Ensure user x is in the map without creating a duplicate? (exit code from get?)
2. User x is mapped to group a, how to map to group b as well? (delete until error then create?)
3. User x is mapped to groups a, b, c, how to remove from group b? (delete until error then create?)
4. Ensure user x is not mapped? (keep deleteing until error code?)

Questions:

1. When there are duplicates in the map, will get for an arn get them all, or just one?
2. Does get (optionally) produce JSON or YAML output?
3. Does delete output or exit code indicate if it deleted anything?
4. Do you know how EKS processes duplicates? If two entries for a user do both group mappings apply, just the first?

[rndstr]

@whereisaaron Some good questions. (I added a link to #625 (comment) which might be helpful)

I am guessing some loops/tests based on exit codes. Is that the intention?

Yep, tests are still to come, just wanted to post this to kick off the discussion some more.

Do you know how EKS processes duplicates? If two entries for a user do both group mappings apply, just the first?

It should be the last, actually. The code is at https://github.com/kubernetes-sigs/aws-iam-authenticator/blob/c2d2884d23a3bc04fa8cc4d5b032022b38469104/pkg/server/server.go#L167-L174 and it will overwrite previous mappings with the same role.

When there are duplicates in the map, will get for an arn get them all, or just one?

Just one currently. I think returning them all might be better, though.

I did think about adding the following log messages

• (any command): warn if there are duplicate roles with mismatching username/groups
• delete: after removing it, inform there are more of those roles

Does get (optionally) produce JSON or YAML output?

Yes, -o yaml|json.

Does delete output or exit code indicate if it deleted anything?

Yes, it errors if it can't find the role.

---

I'm thinking about doing a write-up that should cover more questions that I can think of.

[whereisaaron]

When there are duplicates in the map, will get for an arn get them all, or just one?

Just one currently. I think returning them all might be better, though.

Yes please, and I suggest for the -o yaml | json that it always returns a list, even if just one result. It is easy to de-nest and preferable to have a consistent structure back to any invocation. Likewise, no match should return and empty list and maybe no error?

I did think about adding the following log messages
(any command): warn if there are duplicate roles with mismatching username/groups
delete: after removing it, inform there are more of those roles

Sounds good for interactive users, but I'd suggest those warnings not impact the exist code. Scripts can use another get to work this out.

delete should also warn interactively if no match found to delete, but maybe that isn't an exit code error either?

[rndstr]

Just one currently. I think returning them all might be better, though.

My initial thought was it's not going to be representative to what aws-iam-authenticator sees.

But since delete only deletes one, it probably becomes helpful for get --role <arn> to show all matches. But maybe show a hint here too?

Likewise, no match should return and empty list and maybe no error?

If a filter is given (get iamidentitymapping --role <arn>) then it should error to keep it consistent with get cluster --name <cluster>. But for get iamidentitymapping it won't error but just display an empty list.

Sounds good for interactive users, but I'd suggest those warnings not impact the exist code.

Yes, that log output would need to go to stderr or not log anything at all (could do log level debug if stderr is not an option). Not yet convinced this is a good idea, will see how we do things in other places.

delete should also warn interactively if no match found to delete, but maybe that isn't an exit code error either?

it should be an exit code error to be consistent with other eksctl delete <res> calls. (can use get & delete if you want to prevent an error.) also helps with surfacing typos.

[rndstr]

@whereisaaron @martina-if this is now ready for review in case you want to give it a go. Added tests and updated the PR description to reflect latest changes and an example of interaction.

[rndstr]

is this actually true? or is a role mapping valid with just a rolearn and username?

[martina-if]

Looks good! I left one minor comment

[cpaika]

This solves a big problem for us so much appreciated for setting this up - awesome.

When its merged can we use this functionality in the cluster.yaml file , or is it only supported in those three commands at first?
We're trying to keep our clusters configuration as declarative as possible currently, but totally can make do using those commands in our cluster pipeline setup so no big deal.

[cpaika]

For what its worth, I built this PR locally since I needed the functionality - everything works well for me 👍

[rndstr]

When its merged can we use this functionality in the cluster.yaml file , or is it only supported in those three commands at first?

It is commands only in this PR.

[martina-if]

LGTM 🎉 but let's wait for Ilya's review

[errordeveloper]

LGTM, overall. Would like take another look soon.

[errordeveloper]

@rndstr is it correct to assume that these new commands don't support --config-file yet? It'd be great to add it, I'd be happy to work on it as a follow-up, unless you'd rather take care of it.

[rndstr]

@errordeveloper I won't get to it until next week so feel free to do a follow-up.

[rndstr]

@errordeveloper rebased, needs another approval

[patstrom]

It might be a little late to bring this up but is there a specific reason why only IAM roles (in the mapRoles yaml key) are supported and not also IAM users (in the mapUsers yaml key)?

Just wanted to make sure this hasn't already been discussed outside Github before creating an issue.

[errordeveloper]

@patstrom I don't recall having a discussion about it, please open a new issue. It should be easy to add mapUsers.

[nikolai-derzhak-distillery]

I noticed that eksctl get iamidentitymapping does not work with assume-role in kube config (generated by aws --region $AWS_REGION eks update-kubeconfig --name $CLUSTER_NAME --role-arn $AWS_ROLE ) :

$ eksctl get iamidentitymapping --name=$CLUSTER_NAME
[✖]  getting auth ConfigMap: Unauthorized

while eksctl get nodegroup --cluster $CLUSTER_NAME works fine.

Also I can just edit aws-auth yaml like this:

kubectl edit -n kube-system configmap/aws-auth

Do you need ticket on this ?

Guess related to this feature request : #749

[rndstr]

@nikolai-derzhak-distillery a ticket would be great, thanks!

[nikolai-derzhak-distillery]

Here we go: #916 YW

[neilharris123]

@rndstr is it correct to assume that these new commands don't support --config-file yet? It'd be great to add it, I'd be happy to work on it as a follow-up, unless you'd rather take care of it.

@errordeveloper, Hello, is this still in the pipeline? It would be really useful!