(eks): awsAuth methods should account for role path
See original GitHub issueAs described here and IAM role containing a Path won’t work on the aws-auth configmap and the path must be removed.
Currently passing a role that includes a path to any of the awsAuth methods of the cluster object (i.e awsAuth.addMastersRole
) will produce a config map that will not allow the role to authenticate.
For example, creating a no-ingress Cloud9 environment and mapping the instance role, fails to authenticate with the default Instance role as it includes a Path by default (/service-role/
)
Reproduction Steps
- Create a CDK Stack with C9 environment with CONNECT_SSM connection type and an EKS cluster.
- Add the Cloud9 role to the awsAuth as master to the EKS cluster.
- Log into the Cloud9 instance.
- Update kubeconfig using the instance role.
- List nodes will fail with authentication error.
What did you expect to happen?
awsAuth interface should strip the path from the role arn when updating the aws-auth configmap, otherwise allow for a method to pass the arn as String. A method with a signature like:
public addMastersRole(role: string, username?: string): void
What actually happened?
Configmap entry created includes the role path (service-role
) and there is not way to exclude it:
{"rolearn":"arn:aws:iam::123456789012:role/service-role/AWSCloud9SSMAccessRole","username":"arn:aws:iam::123456789012:role/service-role/AWSCloud9SSMAccessRole","groups":["system:masters"]}
Environment
- CDK CLI Version : 1.97.0
- Framework Version:
- Node.js Version: v14.16.1
- OS : Any
- Language (Version): TypeScript–>
Other
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 2 years ago
- Reactions:1
- Comments:7 (2 by maintainers)
Top GitHub Comments
Worked great, thanks! Finally got Cloud9 to play nice with EKS without manual steps 😃
Nice, I’ll try that. I thought the ARN had to be valid for that method to work (it won’t be due to the missing path). Thanks!