aws eks 和 aws sso RBAC 身份验证问题

我创建了一个新的 AWS SSO(使用内部 IDP 作为身份源,因此不使用 Active Directory)。
我能够登录 AWS CLI、AWS GUI,但无法执行任何 kubectl 操作。

error: You must be logged in to the server (Unauthorized)

我认为这与 RBAC 有关,因为我能够通过 aws eks get-token 获得 EKS 令牌。

➜ cat ~/.aws/config

[profile team-sso-admin]
sso_start_url=https://team.awsapps.com/start
sso_region=us-west-2
sso_account_id=1111111111
sso_role_name=AdministratorAccess
region=us-west-2
credential_process = aws-vault exec team-sso-admin --json

➜ aws-vault exec team-sso-admin --debug -- zsh --login
➜ env | grep AWS
AWS_VAULT_PROMPT=pass
AWS_VAULT_BACKEND=pass
AWS_VAULT=team-sso-admin
AWS_DEFAULT_REGION=us-west-2
AWS_REGION=us-west-2
AWS_ACCESS_KEY_ID=xxx
AWS_SECRET_ACCESS_KEY=xxx
AWS_SESSION_TOKEN=xxx
AWS_SECURITY_TOKEN=yyy
AWS_SESSION_EXPIRATION=2021-01-11T05:55:51Z
AWS_SDK_LOAD_CONFIG=1

➜ aws sts get-caller-identity --output yaml 

Account: '111111111111'
Arn: arn:aws:sts::111111111111:assumed-role/AWSReservedSSO_AdministratorAccess_6c71da2aa3076dfb/TestUser
UserId: XXX:TestUser

➜ aws eks get-token --cluster-name team-shared-eks --role arn:aws:iam::111111111111:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AdministratorAccess_67d1da2aa3076dfb

{"kind": "ExecCredential", "apiVersion": "client.authentication.k8s.io/v1alpha1", "spec": {}, "status": {"expirationTimestamp": "2021-01-11T02:49:11Z", "token": "xxx"}}

kubeconfig

config

- name: arn:aws:eks:us-west-2:111111111111:cluster/team-shared-eks
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --region
      - us-west-2
      - eks
      - get-token
      - --cluster-name
      - team-shared-eks
      - --role
      - arn:aws:iam::111111111111:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AdministratorAccess_67d1da2aa3076dfb
      command: aws

aws 身份验证

mapRoles: |
    - "groups":
      - "system:bootstrappers"
      - "system:nodes"
      "rolearn": "arn:aws:iam::111111111111:role/team-shared-eks20210110051740674200000009"
      "username": "system:node:{{EC2PrivateDNSName}}"
    - "groups":
      - "system:master"
      "rolearn": "arn:aws:iam::111111111111:role/team-saml-devops"
      "username": "team-devops"
    - "groups":
      - "system:master"
      "rolearn": "arn:aws:iam::111111111111:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AdministratorAccess_67d1da2aa3076dfb"
      "username": "team-sso-devops"

team-sso-devops 用户的集群角色绑定

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: "2021-01-11T01:37:51Z"
  name: team:sso:devops
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: team-sso-devops
  namespace: default
stack overflow aws eks and aws sso RBAC authentication problem
原文答案
author avatar

接受的答案

选项#1-尝试从角色_ARN删除 aws-reserved/sso.amazonaws.com/

选项#2-使用 aws-iam-authenticatorofficial docs 提供了一个详尽的示例,说明了如何使用SSO和Kubectl(kubeconfig)


答案:

作者头像

客户投票另一个帖子作为答案,但没有发布使用的方法。对于可能遇到这种情况的其他人,我发布了我在相同情况下必须工作的内容:

以下来自 blog 的提示:

1.使用AWS控制台或类似方法验证角色并获取其arn
2.修改提供的arn,修剪掉多余的路径信息。就我而言,我必须从 arn 中删除 aws-reserved/sso.amazonaws.com/us-west-2/ 。目标是让 arn 像传统角色 arn ex 一样“读取”: arn:aws:iam::123456789012:role/RoleName

  1. 最后,更新 aws-auth 映射角色以使用这个新的 arn,同时修改用户名以包含会话名称,如下所示:

    
    - "groups":
    - "system:masters"
    "rolearn": "arn:aws:iam::123456789012:role/AWSReservedSSO_AWSAdministratorAccess_randomdigits"
    "username": "AWSAdministratorAccess:{{SessionName}}"


提醒此 mapRoles 条目位于现有角色的  `addition`  中,不要删除引导程序条目。

我希望这对其他人有帮助!
作者头像

如@meir所述,无需更新Kube配置,

1.更新configmap aws-auth ,以下:maproles:|

*“组”:
    *“系统:Masters”“ Rolearn”:“ Arn:aws:iam :: {{aws_account}}:requ/{awssso_role}} {{awssso_role}}“”“ username”:“ admin:admin:{sessionname}}}}”

2.在env中使用临时AWS密钥,秘密和会话令牌

你应该准备去。