Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIREBREAK: Accessing EKS clusters with SSO #5194

Open
6 tasks
poornima-krishnasamy opened this issue Jan 16, 2024 · 2 comments
Open
6 tasks

FIREBREAK: Accessing EKS clusters with SSO #5194

poornima-krishnasamy opened this issue Jan 16, 2024 · 2 comments
Assignees
@kyphutruong
Labels
Firebreak

Comments

@poornima-krishnasamy
Copy link
Contributor

Background

EKS aws-auth has the provision to add SSO Administrator role. Can Cloud Platform utlilize this provision and get rid of of individual IAM users added in the cluster config https://github.com/ministryofjustice/cloud-platform-infrastructure/blob/main/terraform/aws-accounts/cloud-platform-aws/vpc/eks/cluster.tf#L195-L268

Guide on configuring SSO with admin role: https://aws.amazon.com/blogs/containers/a-quick-path-to-amazon-eks-single-sign-on-using-aws-sso/

If we can perform terraform and aws cli operations using the SSO, we would benefit from using short-lived creds and can get rid of our IAM users altogether. This will also avoid storing the long-term creds locally to perform these operations.

Questions / Assumptions

Definition of done

  • Firebreak finding documented appropriately
  • Demo completed
  • Decision made on whether to progress Firebreak work
  • Does next steps require User Research?
  • Firebreak next step Issues created
  • New Issues referenced in this story before closure
@poornima-krishnasamy poornima-krishnasamy self-assigned this May 14, 2024
@poornima-krishnasamy poornima-krishnasamy removed their assignment May 24, 2024
@kyphutruong kyphutruong self-assigned this Jul 22, 2024
@kyphutruong
Copy link
Contributor

kyphutruong commented Jul 24, 2024
edited
Loading

Configuring aws cli config profile to use SSO

AWS docs states there are two ways to authenticate users with IAM Identity Center to get credentials to run AWS CLI commands through the config file:

  • SSO token provider configuration (recommended) – Extended session durations.

  • Legacy non-refreshable configuration – Uses a fixed, eight-hour session.

In both configurations, you need to sign in again when your session expires.

When running terraform using the recommended config, the following error occurs:

➜  vpc git:(main) ✗ terraform init
Initializing modules...
Downloading git::https://github.com/ministryofjustice/cloud-platform-terraform-route53-logs.git?ref=1.0.4 for route53_query_log...
- route53_query_log in .terraform/modules/route53_query_log
Downloading registry.terraform.io/terraform-aws-modules/s3-bucket/aws 3.15.1 for route53_query_log.s3_bucket_query_log...
- route53_query_log.s3_bucket_query_log in .terraform/modules/route53_query_log.s3_bucket_query_log

Initializing the backend...
╷
│ Error: error configuring S3 Backend: Error creating AWS session: profile "moj-cp" is configured to use SSO but is missing required configuration: sso_region, sso_start_url

The platform is still built on terraform v1.25, and this version doesn't support the recommended config. We have to use legacy config for now.

We can start to use the up to date recommended config when we start to use terraform 1.6.0 - issue discussed in community thread

@kyphutruong
Copy link
Contributor

Working branch

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kyphutruong kyphutruong

Labels
Firebreak
Projects
Cloud Platform
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
2 participants
@poornima-krishnasamy @kyphutruong