aws eks update-kubeconfig does not support `external_id`

[benderillo]

There is no way at the moment to specify external_id when calling aws eks update-kubeconfig.

It supports specifying role-arn for the case when the cluster was created with assumed role. However, if the role has an extra condition like: StringEquals | sts:ExternalId | test_account there is no way to supply aws eks update-kubeconfig this info.

It seems that the problem is even wider, I do not see support fo external_id in aws-iam-authenticator token either.

Basically, here is the use case: We use terraform with assumed role (that has external_id condition set) to bring up EKS cluster and worker nodes.

In order to finish the setup, we need to do kubectl apply of the ConfigMap with AWS Auth to let nodes join the cluster. In order to do so, we first need to prepare .kubeconfig that will use the same role, that terraform assumed to create the cluster.

Unfortunately, there is no way to specify external_id there and attempts to execute kubectl apply fail with

could not get token: AccessDenied: Access denied
	status code: 403, request id: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx

To sum up, this issue is a feature request to add ability to specify external_id when providing role-arn to aws eks update-kubeconfig.

I am not sure how to go about highlighting the same problem to aws-iam-authenticator though.