role parameter in eks update-kubeconfig is not being used for aws cli connection about aws-cli HOT 4 OPEN

Second that...

I have the following environment variables configured before I run the aws eks update-kubeconfig --role-arn command.

AWS_REGION=us-west-2
AWS_DEFAULT_REGION=us-west-2
AWS_ACCESS_KEY_ID=XXXXXX
AWS_SECRET_ACCESS_KEY=XXXXXX
AWS_SESSION_TOKEN=XXXXXX
AWS_CREDENTIAL_EXPIRATION=2024-03-19T20:52:49Z

When I run the command, aws eks --region us-west-2 update-kubeconfig --name ${EKS_CLUSTER_NAME} --role-arn ${IAM_ARN}, I got this.

An error occurred (ResourceNotFoundException) when calling the DescribeCluster operation: No cluster found for name:

IMHO, I guess the implementation doesn't assume the role before it checks the existence of the EKS cluster. However, I expect the implementation to assume the role first (as described by @xcompass ).

Also, the aws eks get-token --role-arn works fine with the role arn specified (as described by @xcompass).

from aws-cli.

I wish this wasn't a thing, as a cheap and nasty roundabout solution I'm being forced into doing the following (and I don't recommend it if you don't need to do this, but I don't want lots of profiles for assuming roles in my aws config...)

eval $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s aws eks --region eu-west-2 update-kubeconfig --name CLUSTERNAME --role-arn arn:aws:iam::1234567890:role/ASSUMEDROLE" \
$(aws sts assume-role \
  --role-arn arn:aws:iam::1234567890:role/ASSUMEDROLE \
  --role-session-name AWSCLI-Session \
  --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
  --output text))

from aws-cli.

Thanks for reaching out — linking the update-kubeconfig and EKS User Guide for reference. As mentioned there:

This command constructs a configuration with prepopulated server and certificate authority data values for a specified cluster. You can specify an IAM role ARN with the --role-arn option to use for authentication when you issue kubectl commands. Otherwise, the IAM entity in your default AWS CLI or SDK credential chain is used. You can view your default AWS CLI or SDK identity by running the aws sts get-caller-identity command.

We can forward this issue to the EKS team for review as they are the owners of this customization.

from aws-cli.

Ideally we would need a way to tell update-kubeconfig in which aws account the EKS cluster is in case of multi-account scenario.

Look at this scenario :

This needs me to assume a role in sharedEKS cluster, just to retrieve the kubeconfig file. From then, I could just work with my teamA role, thanks to the EKS access entries that works cross-account.

Ideally, I would like to have a parameter allow me to specify the AWS account host for the EKS cluster like :

aws eks --region eu-west-1 update-kubeconfig --name cluster_name --account <sharedEKS>

This would allow me to retrieve the kubeconfig, only dealing with the IAM role teamA in account teamA

Or at least allow to specify an assume-role parameter to the command:

aws eks --region eu-west-1 update-kubeconfig --name cluster_name \
--assume-role-arn arn:aws:iam::sharedEKS:role/eks-cross-account 

with this, new assume-role-arn, the cli will assume this role, prior to do the update-kubeconfig. Note this could still be coupled with the --role-arn, that could be added to the generated kubernetes configuration and which can be different (role from accountA), while the assume-role-arn will link to sharedEKS account.

from aws-cli.