Support a custom Session Name for aws eks get-token command #8976
Description
Describe the feature
Add an option --role-session-name to be used in conjunction with the --role-arn flag for the aws eks get-token command.
This flag would override the currently hard-coded role session name of EKSGetTokenAuth if provided.
Use Case
Currently our organization uses the open source Leapp app to manage our role chaining and sessions. We are able to configure named sessions when authenticating to our EKS cluster, which allows us to identify authenticated users in the cluster for auditing and monitoring purposes.
Leapp's parent company has shut down and on top of that, we are exploring a new development platform where the Leapp desktop app is not supported.
One simple fix to this specific problem is supporting a custom role session name for the aws eks get-token, which is used in the ~/.kube/config file that is generated by aws eks update-kubeconfig command.
A snippet of the ~/.kube/config file might look like this below. Note fields marked with XXXXXXXXXXX are redacted.
apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority-data: XXXXXXXXXXX
server: https://XXXXXXXXXXX.gr7.us-east-1.eks.amazonaws.com:443
name: arn:aws:eks:us-east-1:123456789012:cluster/production
contexts:
- context:
cluster: arn:aws:eks:us-east-1:123456789012:cluster/production
user: prod-access
name: prod-admin
users:
- name: prod-access
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- --region
- us-east-1
- eks
- get-token
- --cluster-name
- staging
- --output
- json
- --role-arn
- arn:aws:iam::123456789012:role/eks-admin
- --role-session-name
- [email protected]
command: awsCurrently, without being able specify a role session name for aws eks get-token, the identity information looks like this.
$ kubectl auth whoami
ATTRIBUTE VALUE
Username company-editor
UID aws-iam-authenticator:123456789012:XXXXXXXXXXX
Groups [company-editors system:authenticated]
Extra: accessKeyId [XXXXXXXXXX]
Extra: arn [arn:aws:sts::123456789012:assumed-role/company-dev-writer/EKSGetTokenAuth]
Extra: canonicalArn [arn:aws:iam::851928862626:role/company-dev-writer]
Extra: principalId [XXXXXXXXXX]
Extra: sessionName [EKSGetTokenAuth]
Extra: sigs.k8s.io/aws-iam-authenticator/principalId [XXXXXXXXXX]
Note the Extra field sessionName is set to EKSGetTokenAuth.
Proposed Solution
Update the STSClientFactory class method _get_role_credentials to add support for a role_session_name parameter. If provided, it would override the default of EKSGetTokenAuth.
Add role-session-name to the ARG_TABLE for this command.
As far as the python code changes, they seem fairly small and straight forward, but I'm not familiar with the testing suite and so I am requesting this feature in the event that an existing maintainer can implement it (with tests) faster than I can.
Other Information
No response
Acknowledgements
- I may be able to implement this feature request
- This feature might incur a breaking change
CLI version used
aws-cli/2.18.0 Python/3.12.6 Linux/6.5.0-1025-azure exe/x86_64.ubuntu.20
Environment details (OS name and version, etc.)
GitHub Codespace (Linux codespaces-9d6cfb 6.5.0-1025-azure #26~22.04.1-Ubuntu SMP Thu Jul 11 22:33:04 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux)