cartography icon indicating copy to clipboard operation
cartography copied to clipboard
verified publisher icon lyft

Process Templated Entries in aws-auth configmap in Kubernetes Module

Open shyammukund opened this issue 3 months ago • 1 comments

Issue: Right now kubernetes module (specifically the eks functionality) only processes non-templated entries from the aws auth map. Being able to process the templated entries would give much better coverage

Description:

According to this aws-auth template there are three cases of templating for map roles:

  1. {{AccountID}}
  2. {{SessionName}}
  3. {{SessionNameRaw}}
  • For {{AccountID}} Just replace with AWS account ID that is in the rolearn
  • If an AWS role maps to a username or group with {{SessionName}} or {{SessionNameRaw}}, we should map that AWS role to all Kube groups or kube users in rolebindings that could match the format of the username. Some regex likely required here.

[optional Relevant Links:]

Existing Kube Functionality

shyammukund avatar Aug 28 '25 18:08 shyammukund

Adding onto this, most roles can be assumed with an arbitrary session name. The exception here are roles created by AWS identity center in permissionsets

kunaals avatar Aug 28 '25 21:08 kunaals