kiam icon indicating copy to clipboard operation
kiam copied to clipboard
verified publisher icon uswitch

assume-role-arn should use auto-detect

Open derrickburns opened this issue 6 years ago • 6 comments

The only place I need to provide my account info is to provide an assume-role-arn. Can you use the auto-detect feature that identifies the prefix to also provide the prefix for assume-role-arn?

One backward compatible way would be to detect if assume-role-arn is a complete arn or simply a role name. If the latter and the auto-detect feature is on, the create the complete arn from the auto-detected prefix and the role name.

derrickburns avatar Jul 22 '19 17:07 derrickburns

This would be a great feature.

cyrus-mc avatar Jul 24 '19 21:07 cyrus-mc

Was this resolved by #276? As in, I can use either a RoleARN or a RoleName for the value in the annotation?

josegonzalez avatar Feb 11 '20 20:02 josegonzalez

We have just faced this issue in kiam:4.0

As you can see in the server logs, the ARN is autocompleted for the requested role by the pod (z2h2q-Route53Manager-Role) but it's not autocompleted for the role that the server has to assume (z2h2q-IAMManager-Role).

{"level":"error","msg":"error requesting credentials: AccessDenied: User: arn:aws:sts::999999999999:assumed-role/gs-cluster-z2h2q-role-tccpn/i-038e8e95d771c82ad is not authorized to perform: sts:AssumeRole on resource: z2h2q-IAMManager-Role\n\tstatus code: 403, request id: f5e0a631-c0cb-4a9c-beaa-580a24ef96ac","pod.iam.role":{"Name":"z2h2q-Route53Manager-Role","ARN":"arn:aws:iam::999999999999:role/z2h2q-Route53Manager-Role"},"pod.iam.roleArn":"arn:aws:iam::999999999999:role/z2h2q-Route53Manager-Role","time":"2021-01-12T16:40:19Z"}
{"generation.metadata":0,"level":"error","msg":"error warming credentials: AccessDenied: User: arn:aws:sts::999999999999:assumed-role/gs-cluster-z2h2q-role-tccpn/i-038e8e95d771c82ad is not authorized to perform: sts:AssumeRole on resource: z2h2q-IAMManager-Role\n\tstatus code: 403, request id: f5e0a631-c0cb-4a9c-beaa-580a24ef96ac","pod.iam.role":"z2h2q-Route53Manager-Role","pod.name":"external-dns-67ddc97ccd-drg9f","pod.namespace":"kube-system","pod.status.ip":"10.2.41.94","pod.status.phase":"Running","resource.version":"10056","time":"2021-01-12T16:40:19Z"}

This is our server parameters that we use for release 3.X and if we put the full ARN it works perfectly:

 containers:
     - args:
       - --json-log
       - --level=info
       - --bind=0.0.0.0:6443
       - --cert=/etc/kiam/tls/tls.crt
       - --key=/etc/kiam/tls/tls.key
       - --ca=/etc/kiam/tls/ca.crt
       - --role-base-arn-autodetect
       - --assume-role-arn=z2h2q-IAMManager-Role
       - --session-duration=15m
       - --sync=1m
       - --prometheus-listen-addr=0.0.0.0:9620
       - --prometheus-sync-interval=5s
       - --region=eu-west-1

Is this expected and we need to provide full ARN now or maybe we have something missconfigured in the the new release?

Thank you very much!

paurosello avatar Jan 12 '21 16:01 paurosello

Does the arnResolvernot also be added in the credentialsCache inside DefaultCache, https://github.com/uswitch/kiam/blob/v4.0/pkg/aws/sts/cache.go#L28? In v3.6 it has been added but now it's not used anymore but the field still exists, this seems wrong to me.

njuettner avatar Jan 12 '21 17:01 njuettner

@pingles any idea on https://github.com/uswitch/kiam/issues/271#issuecomment-758794854 ?

njuettner avatar Jan 13 '21 09:01 njuettner

Opened a PR #459

njuettner avatar Jan 14 '21 16:01 njuettner