使AWS Group访问AWS EKS集群 [英] Enabling AWS Group to access AWS EKS cluster

问题描述

此问题本质上是将IAM组添加到AWS EKS中的aws-auth configmap中的重复项.但是，该问题没有一个可接受的答案，我想提供更多背景信息.

This question is essentially a duplicate of Adding IAM Group to aws-auth configmap in AWS EKS. However, the question does not have an accepted answer and I would like to provide more context.

我知道aws-auth ConfigMap对象不允许直接映射AWS Group.一种解决方法是改为映射一个AWS角色.我尝试过，但是无法正常工作.映射AWS用户可以正常工作.

I know that aws-auth ConfigMap object does not allow mapping AWS Group directly. A workaround would be to map an AWS Role instead. I tried that but were unable to get it working. Mapping an AWS User works without issues.

我使用帐户027755483893作为受信任实体设置了AWS角色arn:aws:iam::027755483893:role/development-readwrite，并附加了以下信任策略:

I setup an AWS Role arn:aws:iam::027755483893:role/development-readwrite with account 027755483893 as being the trusted entity and attached the following trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::027755483893:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

我设置了一个AWS Group arn:aws:iam::027755483893:group/development-readwrite，并附加了以下策略:

I setup an AWS Group arn:aws:iam::027755483893:group/development-readwrite and attached the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::027755483893:role/development-readwrite"
            ]
        }
    ]
}

我按如下所示设置aws-auth ConfigMap:

I setup the aws-auth ConfigMap as follows:

apiVersion: v1
data:
  mapRoles: |
    # Other mappings omitted for clarity
    - groups:
      - system:masters
      rolearn: arn:aws:iam::027755483893:role/development-readwrite
  mapUsers: |
    []
kind: ConfigMap
metadata:
  creationTimestamp: "2019-08-21T08:25:15Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "62031092"
  selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
  uid: 33b33620-c3ed-11e9-83c0-029bc9dcca16

但是，该组中没有用户可以访问群集.用户是否需要明确承担角色?还有什么我想念的吗?

However, none of the users in the group have access to the cluster. Do the users need to explicitly assume role? Is there anything else I'm missing?

推荐答案

在这种情况下，用户确实需要显式承担该角色.用户可以承担角色这一事实不足以使他们实际有权访问群集.

In this case the users indeed need to explicitly assume the role. The fact that the users can assume the role is not enough for them to actually have access to the cluster.

可以为您的用户简化此操作的一种方法是通过aws get token调用创建kubeconfig.这样，您就可以为集群指定一个角色的role_arn.

One approach that can simplify it for your users is by creating a kubeconfig with the aws get token call. This allows you to specify a role_arn of a role to assume for the cluster.

这篇关于使AWS Group访问AWS EKS集群的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！