Comments (4)
Second that...
I have the following environment variables configured before I run the aws eks update-kubeconfig --role-arn
command.
AWS_REGION=us-west-2
AWS_DEFAULT_REGION=us-west-2
AWS_ACCESS_KEY_ID=XXXXXX
AWS_SECRET_ACCESS_KEY=XXXXXX
AWS_SESSION_TOKEN=XXXXXX
AWS_CREDENTIAL_EXPIRATION=2024-03-19T20:52:49Z
When I run the command, aws eks --region us-west-2 update-kubeconfig --name ${EKS_CLUSTER_NAME} --role-arn ${IAM_ARN}, I got this.
An error occurred (ResourceNotFoundException) when calling the DescribeCluster operation: No cluster found for name:
IMHO, I guess the implementation doesn't assume the role before it checks the existence of the EKS cluster. However, I expect the implementation to assume the role first (as described by @xcompass ).
Also, the aws eks get-token --role-arn
works fine with the role arn specified (as described by @xcompass).
from aws-cli.
I wish this wasn't a thing, as a cheap and nasty roundabout solution I'm being forced into doing the following (and I don't recommend it if you don't need to do this, but I don't want lots of profiles for assuming roles in my aws config...)
eval $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s aws eks --region eu-west-2 update-kubeconfig --name CLUSTERNAME --role-arn arn:aws:iam::1234567890:role/ASSUMEDROLE" \
$(aws sts assume-role \
--role-arn arn:aws:iam::1234567890:role/ASSUMEDROLE \
--role-session-name AWSCLI-Session \
--query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
--output text))
from aws-cli.
Thanks for reaching out — linking the update-kubeconfig and EKS User Guide for reference. As mentioned there:
This command constructs a configuration with prepopulated server and certificate authority data values for a specified cluster. You can specify an IAM role ARN with the
--role-arn
option to use for authentication when you issuekubectl
commands. Otherwise, the IAM entity in your default AWS CLI or SDK credential chain is used. You can view your default AWS CLI or SDK identity by running theaws sts get-caller-identity
command.
We can forward this issue to the EKS team for review as they are the owners of this customization.
from aws-cli.
Ideally we would need a way to tell update-kubeconfig in which aws account the EKS cluster is in case of multi-account scenario.
This needs me to assume a role in sharedEKS cluster, just to retrieve the kubeconfig file. From then, I could just work with my teamA role, thanks to the EKS access entries that works cross-account.
Ideally, I would like to have a parameter allow me to specify the AWS account host for the EKS cluster like :
aws eks --region eu-west-1 update-kubeconfig --name cluster_name --account <sharedEKS>
This would allow me to retrieve the kubeconfig, only dealing with the IAM role teamA in account teamA
Or at least allow to specify an assume-role parameter to the command:
aws eks --region eu-west-1 update-kubeconfig --name cluster_name \
--assume-role-arn arn:aws:iam::sharedEKS:role/eks-cross-account
with this, new assume-role-arn, the cli will assume this role, prior to do the update-kubeconfig. Note this could still be coupled with the --role-arn, that could be added to the generated kubernetes configuration and which can be different (role from accountA), while the assume-role-arn will link to sharedEKS account.
from aws-cli.
Related Issues (20)
- sso_region is ignored when region differs in profile HOT 4
- aws ecr describe-image-scan-findings with no recommendations HOT 6
- sso-region incorrect HOT 1
- Alpine 3.20 release HOT 8
- cannot import name 'SSOTokenFetcher' from 'botocore.utils' (C:\Python\Python310\lib\site-packages\botocore\utils.py) HOT 1
- Assume Role With Web Identity doesn't respect region HOT 3
- libpython3.11.so.1.0: pwritev2: symbol not found HOT 3
- Duplicate Example headings - sync HOT 2
- Segmentation Fault on ArmV8 with Crypto Extensions HOT 2
- Inaccurate AWS Bedrock User Guide HOT 3
- ec2 subcommand fails when given --tag-specifications HOT 1
- aws cli glue HOT 2
- ec2 modify-instance-attribute not working with binary file (fileb://) HOT 2
- 'aws configure get' should support sso-session configurations HOT 3
- trailing semicolon in login URL in aws sso login not friendly for recognization or click HOT 3
- sqs commands seem to ignore `AWS_ENDPOINT_URL` HOT 3
- aws cli can't connect to any region/endpoint and throws Bad file descriptor HOT 2
- `aws sesv2 list-contacts` returns an empty result when filtering with `FilteredStatus=OPT_OUT` HOT 3
- `put-bucket-acl` : JSON file causing MalformedACLError for XML in AWS S3 Bucket ACL Operation HOT 4
- Health uses invalid endpoints when region is set HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-cli.