Not working for showing groups information

[posquit0]

Problem

It works when I try kubectl whoami --all command to AWS EKS cluster via aws-iam-authenticator default authentication method.

It doesn't work when I try kubectl whoami --all command to AWS EKS cluster via different OIDC Identity Provider authentication. In my case, I tried with Okta OIDC identity provider. The output is same with kubectl whoami command.

• Introducing OIDC identity provider authentication for Amazon EKS

[rajatjindal]

Hi @posquit0

thanks for reporting the issue.

is it possible for you to please submit a PR for this? I don't have access to EKS cluster setup.

Thanks Rajat Jindal

[rajatjindal]

I just tried with onelogin OIDC provider + EKS, and it seems to have worked. and showing me all groups that I am part of.

could you please try once more.

[posquit0]

Hi, thank you for following this issue. I'm so glad to hear that. I tried with v0.0.44, but it just same outputs.

What is your configuration for users[].user.exec.command and users[].user.exec.args in .kube/config I used kubectl command and oidc-login args.

[rajatjindal]

i am using a custom login plugin instead of oidc-login, but i don't think that matters. We make use of k8s api calls to fetch whoami info.

could you please add some logging on your laptop and help submit a PR for this?

[asaf400]

I found a solution for a related issue,

in order for kubectl-whoami to show the ARN information for a user, it is required that the k8s role assigned to the user\group would have this rule:

• apiGroups: [ "authentication.k8s.io" ] resources: [ "tokenreviews" ] verbs: [ "create" ]

Without this rule within a ClusterRole assigned to that user, extracting ARN is not possible..

Sorry if this isn't relevant, but I did see that both printing Groups and ARNs are within the same if condition. Anyways, @rajatjindal you might want to add that information in the README.md, maybe troubleshooting section?