Skip to content

Assume Role to find EKS cluster for config update #9364

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Assume Role to find EKS cluster for config update #9364

wants to merge 1 commit into from

Conversation

5nafu
Copy link

@5nafu 5nafu commented Mar 13, 2025

Issue #, if available: #8554

Description of changes:

This PR will assume a given role when trying to update the kubeconfig.

While aws eks update-kubeconfig --role-arn... would add the required parameters to the user section of the configfile, but will fail finding the cluster if the original profile does not have access. This PR will fix the issue and assume the role before getting the cluster description.

@5nafu
Assume Role to find EKS cluster for config update
0956156 
This commit will assume a given role when trying to update the
kubeconfig.

While `aws eks update-kubeconfig --role-arn...` would add the required
parameters to the user section of the configfile, but will fail finding
the cluster if the original profile does not have access.
This commit will fix the issue and assume the role before getting the
cluster description.

Fixes aws#8554
@ajaykumarmandapati ajaykumarmandapati mentioned this pull request Apr 10, 2025
Closed
@djtung
Copy link

djtung commented Apr 14, 2025

Hi, I'm on the team working on EKS at AWS. As I understand:

  1. The current documentation specifies that --role-arn is meant for "cluster authentication" (kubectl connection), not for the AWS CLI's cluster discovery process.
  2. This fix overloads the --role-arn parameter by using it for both:
    • AWS CLI cluster discovery
    • Kubernetes cluster authentication
  3. This change would be breaking for existing customers who may have tools/scripts relying on the current documented behaviour

Better would be to implement the suggestions from here, perhaps with the latter of providing another parameter so that the two roles can be clearly separated. If you're willing to make that change for adding a new parameter (and update the documentation), we'd be happy to approve it.

@sdomme sdomme mentioned this pull request Apr 15, 2025
Merged
@sdomme
Copy link
Contributor

sdomme commented Apr 15, 2025

HI @djtung, thank you very much for your feedback. We reworked this contribution in #9443 in favour to your suggestions. We confirmed with @5nafu, that this PR is superseded by the new request.
Please have a look. Thnaks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@5nafu @djtung @sdomme