aws eks和aws sso RBAC认证问题
aws eks and aws sso RBAC authentication problem
我创建了一个新的 AWS SSO(使用内部 IDP 作为身份源,所以没有使用 Active Directory)。
我可以登录 AWS CLI、AWS GUI,但无法执行任何 kubectl 操作。
error: You must be logged in to the server (Unauthorized)
我认为这与 RBAC 有关,因为我能够通过以下方式获得 EKS 令牌
aws eks get-token.
➜ cat ~/.aws/config
[profile team-sso-admin]
sso_start_url=https://team.awsapps.com/start
sso_region=us-west-2
sso_account_id=1111111111
sso_role_name=AdministratorAccess
region=us-west-2
credential_process = aws-vault exec team-sso-admin --json
➜ aws-vault exec team-sso-admin --debug -- zsh --login
➜ env | grep AWS
AWS_VAULT_PROMPT=pass
AWS_VAULT_BACKEND=pass
AWS_VAULT=team-sso-admin
AWS_DEFAULT_REGION=us-west-2
AWS_REGION=us-west-2
AWS_ACCESS_KEY_ID=xxx
AWS_SECRET_ACCESS_KEY=xxx
AWS_SESSION_TOKEN=xxx
AWS_SECURITY_TOKEN=yyy
AWS_SESSION_EXPIRATION=2021-01-11T05:55:51Z
AWS_SDK_LOAD_CONFIG=1
➜ aws sts get-caller-identity --output yaml
Account: '111111111111'
Arn: arn:aws:sts::111111111111:assumed-role/AWSReservedSSO_AdministratorAccess_6c71da2aa3076dfb/TestUser
UserId: XXX:TestUser
➜ aws eks get-token --cluster-name team-shared-eks --role arn:aws:iam::111111111111:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AdministratorAccess_67d1da2aa3076dfb
{"kind": "ExecCredential", "apiVersion": "client.authentication.k8s.io/v1alpha1", "spec": {}, "status": {"expirationTimestamp": "2021-01-11T02:49:11Z", "token": "xxx"}}
kubeconfig
config
- name: arn:aws:eks:us-west-2:111111111111:cluster/team-shared-eks
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- us-west-2
- eks
- get-token
- --cluster-name
- team-shared-eks
- --role
- arn:aws:iam::111111111111:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AdministratorAccess_67d1da2aa3076dfb
command: aws
aws-auth
mapRoles: |
- "groups":
- "system:bootstrappers"
- "system:nodes"
"rolearn": "arn:aws:iam::111111111111:role/team-shared-eks20210110051740674200000009"
"username": "system:node:{{EC2PrivateDNSName}}"
- "groups":
- "system:master"
"rolearn": "arn:aws:iam::111111111111:role/team-saml-devops"
"username": "team-devops"
- "groups":
- "system:master"
"rolearn": "arn:aws:iam::111111111111:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AdministratorAccess_67d1da2aa3076dfb"
"username": "team-sso-devops"
team-sso-devops 用户的集群角色绑定:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: "2021-01-11T01:37:51Z"
name: team:sso:devops
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: team-sso-devops
namespace: default
选项 #1 - 尝试从 role_arn (source)
中删除 aws-reserved/sso.amazonaws.com/
选项 #2 - 使用 aws-iam-authenticator, the official docs 提供有关如何使用 SSO 和 kubectl (kubeconfig) 的详尽示例
客户投票给另一个 post 作为答案,但没有 post 使用的方法。对于可能 运行 参与其中的其他人,我,post 在相同的情况下我要工作的内容:
遵循此 blog 中的提示:
- 使用 AWS 控制台或类似方法验证角色并获取它的 arn
- 修改提供的 arn,删除多余的路径信息。在我的例子中,我不得不从 arn 中删除
aws-reserved/sso.amazonaws.com/us-west-2/。目标是让 arn 像传统角色 arn ex 一样“读取”:arn:aws:iam::123456789012:role/RoleName
- 最后,更新 aws-auth 映射角色以使用这个新的 arn,同时修改用户名以包含会话名称,如下所示:
- "groups":
- "system:masters"
"rolearn": "arn:aws:iam::123456789012:role/AWSReservedSSO_AWSAdministratorAccess_randomdigits"
"username": "AWSAdministratorAccess:{{SessionName}}"
提醒此 mapRoles 条目是对现有角色的补充,而不是删除引导程序条目。
我希望这对其他人有帮助!
如@Meir 所述,无需更新 kube 配置,
使用以下内容更新配置映射 aws-auth:
地图角色:|
- “组”:
- “系统:大师”
“rolearn”:“arn:aws:iam::{{AWS_ACCOUNT}}:role/{{AWSSSO_ROLE}}”
“用户名”:“管理员:{{SessionName}}”
在环境中使用临时 AWS 密钥、秘密和会话令牌
你应该准备好了。
我创建了一个新的 AWS SSO(使用内部 IDP 作为身份源,所以没有使用 Active Directory)。
我可以登录 AWS CLI、AWS GUI,但无法执行任何 kubectl 操作。
error: You must be logged in to the server (Unauthorized)
我认为这与 RBAC 有关,因为我能够通过以下方式获得 EKS 令牌
aws eks get-token.
➜ cat ~/.aws/config
[profile team-sso-admin]
sso_start_url=https://team.awsapps.com/start
sso_region=us-west-2
sso_account_id=1111111111
sso_role_name=AdministratorAccess
region=us-west-2
credential_process = aws-vault exec team-sso-admin --json
➜ aws-vault exec team-sso-admin --debug -- zsh --login
➜ env | grep AWS
AWS_VAULT_PROMPT=pass
AWS_VAULT_BACKEND=pass
AWS_VAULT=team-sso-admin
AWS_DEFAULT_REGION=us-west-2
AWS_REGION=us-west-2
AWS_ACCESS_KEY_ID=xxx
AWS_SECRET_ACCESS_KEY=xxx
AWS_SESSION_TOKEN=xxx
AWS_SECURITY_TOKEN=yyy
AWS_SESSION_EXPIRATION=2021-01-11T05:55:51Z
AWS_SDK_LOAD_CONFIG=1
➜ aws sts get-caller-identity --output yaml
Account: '111111111111'
Arn: arn:aws:sts::111111111111:assumed-role/AWSReservedSSO_AdministratorAccess_6c71da2aa3076dfb/TestUser
UserId: XXX:TestUser
➜ aws eks get-token --cluster-name team-shared-eks --role arn:aws:iam::111111111111:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AdministratorAccess_67d1da2aa3076dfb
{"kind": "ExecCredential", "apiVersion": "client.authentication.k8s.io/v1alpha1", "spec": {}, "status": {"expirationTimestamp": "2021-01-11T02:49:11Z", "token": "xxx"}}
kubeconfig
config
- name: arn:aws:eks:us-west-2:111111111111:cluster/team-shared-eks
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- us-west-2
- eks
- get-token
- --cluster-name
- team-shared-eks
- --role
- arn:aws:iam::111111111111:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AdministratorAccess_67d1da2aa3076dfb
command: aws
aws-auth
mapRoles: |
- "groups":
- "system:bootstrappers"
- "system:nodes"
"rolearn": "arn:aws:iam::111111111111:role/team-shared-eks20210110051740674200000009"
"username": "system:node:{{EC2PrivateDNSName}}"
- "groups":
- "system:master"
"rolearn": "arn:aws:iam::111111111111:role/team-saml-devops"
"username": "team-devops"
- "groups":
- "system:master"
"rolearn": "arn:aws:iam::111111111111:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AdministratorAccess_67d1da2aa3076dfb"
"username": "team-sso-devops"
team-sso-devops 用户的集群角色绑定:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: "2021-01-11T01:37:51Z"
name: team:sso:devops
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: team-sso-devops
namespace: default
选项 #1 - 尝试从 role_arn (source)
中删除aws-reserved/sso.amazonaws.com/
选项 #2 - 使用 aws-iam-authenticator, the official docs 提供有关如何使用 SSO 和 kubectl (kubeconfig) 的详尽示例
客户投票给另一个 post 作为答案,但没有 post 使用的方法。对于可能 运行 参与其中的其他人,我,post 在相同的情况下我要工作的内容:
遵循此 blog 中的提示:
- 使用 AWS 控制台或类似方法验证角色并获取它的 arn
- 修改提供的 arn,删除多余的路径信息。在我的例子中,我不得不从 arn 中删除
aws-reserved/sso.amazonaws.com/us-west-2/。目标是让 arn 像传统角色 arn ex 一样“读取”:arn:aws:iam::123456789012:role/RoleName - 最后,更新 aws-auth 映射角色以使用这个新的 arn,同时修改用户名以包含会话名称,如下所示:
- "groups":
- "system:masters"
"rolearn": "arn:aws:iam::123456789012:role/AWSReservedSSO_AWSAdministratorAccess_randomdigits"
"username": "AWSAdministratorAccess:{{SessionName}}"
提醒此 mapRoles 条目是对现有角色的补充,而不是删除引导程序条目。
我希望这对其他人有帮助!
如@Meir 所述,无需更新 kube 配置,
使用以下内容更新配置映射
aws-auth: 地图角色:|- “组”:
- “系统:大师” “rolearn”:“arn:aws:iam::{{AWS_ACCOUNT}}:role/{{AWSSSO_ROLE}}” “用户名”:“管理员:{{SessionName}}”
- “组”:
在环境中使用临时 AWS 密钥、秘密和会话令牌
你应该准备好了。