aws-iam-authenticator
aws-iam-authenticator copied to clipboard
kubernetes-sigs
[Bug]: Authentication mode EKS API accepts yet ignores arn:aws:iam::111122223333:root
What happened?
In the EKS Web GUI's Access Tab, with Access configuration set to Authentication mode = EKS API and ConfigMap
I can add an IAM access entry of arn:aws:iam::111122223333:root and it'll be accepted as valid input, but ignored in practice.
What you expected to happen?
According to the AWS IAM Docs: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-accounts
"Principal": { "AWS": "arn:aws:iam::111122223333:root" }
is equal to "Principal": { "AWS": "111122223333" }
(To translate into Plain-English, in this context root != root user, but the root(as in base) of the account, so it effectively means all identities in the account.)
Why it's significant: EKS's aws-auth configmap allowed IAM users, IAM roles, and AWS accounts (as in all IAM identities in the AWS account). EKS's Authentication mode of "EKS API" GUI & docs say it only allows IAM users & IAM roles. At first glance it looks like "EKS API" mode doesn't support AWS accounts
And if you try to use
"Principal": { "AWS": "111122223333" } in the EKS Web GUI's Access Tab, it'll fail input validation.
But the following (which IAM docs say is equivalent) will pass input validation:
"Principal": { "AWS": "arn:aws:iam::111122223333:root" }
Since EKS API is supposed to be a replacement of the deprecated aws-auth configmap AND the value passed input validation, it's reasonable for a user to think that the "EKS API" also supports all IAM identities in the AWS account under the assumption that it's a poorly documented feature.
Anything else we need to know?
I'm running EKS proper, it's my understanding that this open source code runs on EKS's managed masters.
Installation tooling
other (please specify in description)
AWS IAM Authenticator server Version
NA
Client information
- OS/arch: Mac (ARM)
- kubernetes client & version: 1.30
Client Version: v1.31.0
Kustomize Version: v5.4.2
Server Version: v1.30.7-eks-56e63d8
- authenticator client & version:
Kubernetes API Version
1.30
aws-iam-authenticator YAML manifest
No response
kube-apiserver YAML manifest
No response
aws-iam-authenticator logs
No response
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
This would be nice to have, as it'd make viewer access by default for all members of an AWS account easier to implement.
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle rotten - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Reopen this issue with
/reopen - Mark this issue as fresh with
/remove-lifecycle rotten - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/close not-planned
@k8s-triage-robot: Closing this issue, marking it as "Not Planned".
In response to this:
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied- After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied- After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closedYou can:
- Reopen this issue with
/reopen- Mark this issue as fresh with
/remove-lifecycle rotten- Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/close not-planned
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
