Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IAM roles with paths are only recognized without the path #153

Open
alfredkrohmer opened this issue Sep 28, 2018 · 26 comments
Open

IAM roles with paths are only recognized without the path #153

alfredkrohmer opened this issue Sep 28, 2018 · 26 comments
Labels
lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.

Comments

@alfredkrohmer
Copy link

Assuming I have the following role ARN:

arn:aws:iam::1234567890:role/iam-ss/some-path/actual-role-name

If I enter this under mapRoles, this will not be recognized. Instead I need to enter:

arn:aws:iam::1234567890:role/actual-role-name
@davekonopka
Copy link

@devkid Are you using an assumed role? It looks like this PR might be related to what you're seeing: #144

@alfredkrohmer
Copy link
Author

The role is used by an EC2 instance with an IAM instance profile. Not sure if this counts as "assumed"? (Does EC2 "assume" the role on behalf of the instance to provide the credentials?)

@davekonopka
Copy link

Yes. Roles are always assumed now that I think about it.

@nckturner
Copy link
Contributor

Yeah, this is definitely confusing UX with the current implementation. Some possible ways forward are 1. to allow paths to be included, in which case we would want to validate them (they are not returned in the STS assume role response because they are not included assumed role ARNs), 2. to force the path to be included in the ARN (again needing the validation step), or 3. to consider allowing or requiring the Principle ID to be used in mappings instead of ARNs.

@timvanderkooi
Copy link

Any update here? I'd like to be able to use Terraform to resolve the ARN and place it into my auth map, but with this implementation I have to manually specify that modified ARN as a variable.

@fernandogoncalves-me
Copy link

@timvanderkooi, good news! Apparently this was solved by #103 and it's already part of the pre-release v0.4.0-alpha.1.

@jpb
Copy link

jpb commented Nov 9, 2018

I ran into this, and the fix in #103 isn't sufficient to resolve the issue because role paths are not included in assumed-role ARNs. I created #144 which implements @nckturner's option (1.) or (2.) (not sure which one based on the description above), but it is currently stalled right now.

Given that roles are unique based on their name only, it would be safe to drop the path in the role ARN in mapRoles as a temporary workaround.

@BeardedCloudWalker
Copy link

Still seeing the appearance off this issue. in configMap having to drop path:
- rolearn: arn:aws:iam::1234567890:role/prod-path/eks-role
in automation needs to be parsed down to
- rolearn: arn:aws:iam::12334567890:role/eks-role

Following EKS Setup documentation, this can initially manifest in Nodes not being able to join the cluster after the instance role is passed to the auth config step.

@jalvarezferr
Copy link

Using AWS EKS with a worker role having an IAM path other than / causes worker to fail to join the cluster.
/var/log/messages shows streams of Unauthorized errors.
Is this related to this same issue?

@alfredkrohmer
Copy link
Author

alfredkrohmer commented Feb 21, 2019

@jalvarezferr Yes, that is the issue. Just cut out the path from the aws-auth, it should work then.

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 22, 2019
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jun 21, 2019
@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@k8s-ci-robot
Copy link
Contributor

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@zettatronn
Copy link

/reopen

This ticket was closed due to inactivity but this bug is still present. We currently have to use 2 ARNs in all configmaps to work around this issue.

@k8s-ci-robot
Copy link
Contributor

@zettatronn: You can't reopen an issue/PR unless you authored it or you are a collaborator.

In response to this:

/reopen

This ticket was closed due to inactivity but this bug is still present. We currently have to use 2 ARNs in all configmaps to work around this issue.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@nckturner
Copy link
Contributor

/reopen

@k8s-ci-robot
Copy link
Contributor

@nckturner: Reopened this issue.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot reopened this Dec 12, 2019
@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@k8s-ci-robot
Copy link
Contributor

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@joanayma
Copy link

joanayma commented Apr 8, 2020

/reopen

@k8s-ci-robot
Copy link
Contributor

@joanayma: You can't reopen an issue/PR unless you authored it or you are a collaborator.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@nckturner
Copy link
Contributor

/reopen
/lifecycle frozen

@nckturner nckturner reopened this May 15, 2020
@k8s-ci-robot k8s-ci-robot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. labels May 15, 2020
DWSR pushed a commit to DWSR/terraform-aws-eks that referenced this issue May 27, 2020
`aws-iam-authenticator` has an open issue where it will not recognize
IAM roles that include paths. This change causes the path supplied to
`var.iam_path` to be stripped when generating the `aws-auth` ConfigMap
in order to work around this.

kubernetes-sigs/aws-iam-authenticator#153
dpiddockcmp pushed a commit to terraform-aws-modules/terraform-aws-eks that referenced this issue May 30, 2020
* fix: Work around path bug in aws-iam-authenticator

`aws-iam-authenticator` has an open issue where it will not recognize
IAM roles that include paths. This change causes the path supplied to
`var.iam_path` to be stripped when generating the `aws-auth` ConfigMap
in order to work around this.

kubernetes-sigs/aws-iam-authenticator#153
aws/containers-roadmap#926
@billinghamj
Copy link

Between #333, #268, #153 and #98 - would be good to get duplicates closed and it tracked in one place

joanayma pushed a commit to joanayma/aws-iam-authenticator that referenced this issue Aug 11, 2021
joanayma pushed a commit to joanayma/aws-iam-authenticator that referenced this issue Aug 11, 2021
baibailiha added a commit to baibailiha/terraform-aws-eks that referenced this issue Sep 13, 2022
* fix: Work around path bug in aws-iam-authenticator

`aws-iam-authenticator` has an open issue where it will not recognize
IAM roles that include paths. This change causes the path supplied to
`var.iam_path` to be stripped when generating the `aws-auth` ConfigMap
in order to work around this.

kubernetes-sigs/aws-iam-authenticator#153
aws/containers-roadmap#926
@sftim
Copy link

sftim commented Jan 20, 2023

If people want to highlight this issue to the vendor, AWS, then please visit aws/containers-roadmap#573 and add a thumbs-up reaction.

@gothrek22
Copy link

Seems that it's kind of fixed upstream here: aws/containers-roadmap#185

They now not only support an API to manage cluster access, but also switch to AWS iam principal id, instead of ARN (which is relevant to this ticket).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.
Projects
None yet