aws eks get-token support external-id

[vikas027]

Is your feature request related to a problem? Please describe. There is no way to refer to an external ID while assuming a role with aws cli v2.

Describe the solution you'd like I should be able to define the external ID like this

      apiVersion: client.authentication.k8s.io/v1alpha1
      command: aws
      args:
        - --region
        - ap-southeast-2
        - eks
        - get-token
        - --cluster-name
        - myeks
        - --role-arn
        - <arn>
        - --external-id
        - 11111111

Describe alternatives you've considered Disable external ID in the IAM role trust relationship policy

[stobrien89]

Hi @vikas027 ,

Thanks for the feature request! I'll send this up to the eks team, as it would be an API change.

[stobrien89]

V499097604

[carlosrodf]

was this ever implemented?

[stobrien89]

Hi @carlosrodf,

This has not been implemented yet, but I've just asked for an update from the EKS team in terms of prioritization. I'll let you know as soon as I receive an update.

[jbg]

@stobrien89 As far as I can tell there are no API changes needed. aws eks get-token just uses the normal STS AssumeRole API when --role-arn is passed. That API of course already supports an ExternalId parameter.

I ran into this today, so I've opened a PR (#6747) which implements this. It's just a case of adding a --external-id parameter and passing the value through to AssumeRole.

[jbg]

Any chance to get the PR #6747 reviewed?

[djotanov]

Any update on this?

[GNSunny]

Any updates related to this issue and PR?

[salecharohit]

Yes any update on this ? I am also having this issue

[jflatten]

This would be very helpful when utilizing the Terraform Kubernetes provider via a role with and externalid constraint. Is this on the roadmap at this point?

[jbg]

We've been using it for more than a year for exactly that purpose. I'm not sure what I'm supposed to do to get the PR looked at / reviewed / merged so that it can be useful to others as well, though.

[salecharohit]

Without this we cannot use externalID in terraform kubernetes provider assuming an IAM Role. Extremely critical to have this from a security POV

[nicewrld]

+1, using Kubernetes / Helm provider in Terraform and cannot provide an external ID for a role. Using this in gitlab CI we're using aws profiles for now, but it's not ideal (security is yelling at me.)

[ueisele]

To be able to define an external id for aws eks get-token command would be great. As already mentioned, it would be very helpful to be able to use it with the Terraform Kubernetes provider to automatically refresh the token. However, we need to use it in combination with an external id.

As a workaround, I created a small wrapper script, which first uses aws sts assume-role command to assume a role with an external id. After that, it calls the actual aws command.

awsw wrapper bash-script:

#!/usr/bin/env bash
if [ -n "${ROLE_ARN}" ] && [ -n "${EXTERNAL_ID}" ]; then
  CREDENTIALS=($(aws sts assume-role \
        --role-arn "${ROLE_ARN}" \
        --external-id "${EXTERNAL_ID}" \
        --role-session-name "gitlab-tf" \
        --query "[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]" \
        --output text))
  export AWS_ACCESS_KEY_ID="${CREDENTIALS[0]}"
  export AWS_SECRET_ACCESS_KEY="${CREDENTIALS[1]}"
  export AWS_SESSION_TOKEN="${CREDENTIALS[2]}"
  unset AWS_PROFILE
  unset AWS_SESSION_PROFILE
fi
aws "$@"

With this awsw wrapper script it was possible to get an token with an external id for the Terraform Kubernetes provider.

provider "kubernetes" {
  host = data.aws_eks_cluster.cluster.endpoint
  cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data)
  exec {
    api_version = "client.authentication.k8s.io/v1beta1"
    args = ["eks", "get-token", "--cluster-name", var.eks_cluster_id]
    command  = "${path.module}/awsw"
  }
}

However, it is just a workaround and it would be so much easier, if it would be possible to be able to specify an additional --external-id parameter for the aws eks get-token command.

[Manbeardo]

There's a simpler workaround available:

Use the standard SDK auth mechanisms instead of this CLI-exclusive feature.

ExternalID and other more-complex parameters for sts:AssumeRole are already exposed via the "profiles" feature of the AWS SDK. Rather than writing a one-off script, you could configure your execution environment to contain an AWS SDK config file with your relevant profiles.

For example, you could solve the external ID problem by creating this file at /path/to/aws/config:

[profile my-eks-cluster]
region = us-east-1
role_arn = <ROLE_ARN>
external_id = <EXTERNAL_ID>
credentials_source = Ec2InstanceMetadata

This example assumes that your execution environment is an EC2 instance, but you can also configure the profile to use SSO or static credentials.

Once you have that config file in place, you can configure any software built upon an AWS SDK to use that profile by specifying the environment variables AWS_CONFIG_FILE=/path/to/aws/config and AWS_PROFILE=my-eks-cluster. If you want to reuse the same terraform config to manage multiple deployments, you only need to update those 2 environment variables. If you want to use multiple instances of the same provider to connect to different accounts/regions within a single root module, you can create additional profiles in your AWS config and then reference those inside your terraform provider blocks.