feat: tool will inject worker node's IAM role to aws-auth configMap a…

…utomatically if it is not defined explictly (#77)
justinas-b · Nov 23, 2023 · 15f9bec · 15f9bec
1 parent a17823b
commit 15f9bec
Show file tree

Hide file tree

Showing 7 changed files with 218 additions and 138 deletions.
diff --git a/.env b/.env
@@ -1 +1,2 @@
-AWS_PROFILE="name-of-aws-profile-to-use-when-debugging"
+AWS_PROFILE=""
+IAM_ROLE=""
diff --git a/README.md b/README.md
@@ -96,6 +96,16 @@ data:
     []
 ```
 
+To make sure EKS cluster may continue to function, if below map is not provided explicitly for kubernetes worker nodes,
+tool will read the ARN of IAM Role which is used by worker nodes from Instance Metadata Service (IMDS) and will inject
+it automatically:
+```yaml
+- groups:
+  - system:bootstrappers
+  - system:nodes
+  rolearn: arn:aws:iam::111122223333:role/my-node-role
+  username: system:node:{{EC2PrivateDNSName}}
+```
 
 The tool will process `aws-auth` ConfigMap from it's local kubernetes namespace and transform it to the format AWS EKS cluster expects. After processing ConfigMap, it's output is saved `kube-system` namespace where PermissionSet's name is translated to corresponding role ARN, meaning `"permissionset": AdminRole"` line will become `"rolearn": "arn:aws:iam::000000000000:role/AWSReservedSSO_AdminRole_0123456789abcdef"`
 

diff --git a/aws.go b/aws.go
@@ -3,13 +3,15 @@ package main
 import (
 	"context"
 	"fmt"
+	"io"
 	"regexp"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
 	"github.com/aws/aws-sdk-go-v2/service/iam"
-	"github.com/aws/aws-sdk-go-v2/service/sts"
 	"github.com/aws/aws-sdk-go-v2/service/iam/types"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
 	"go.uber.org/zap"
 	"golang.org/x/exp/slices"
 )
@@ -44,7 +46,7 @@ func listSSORoles() ([]types.Role, error) {
 		logger.Fatal("Unable to load SDK config, %v", zap.Error(err))
 	}
 	client := iam.NewFromConfig(cfg)
-	
+
 	// Create a list roles request
 	params := &iam.ListRolesInput{
 		MaxItems:   aws.Int32(10),
@@ -65,7 +67,7 @@ func listSSORoles() ([]types.Role, error) {
 		logger.Debug(fmt.Sprintf("Paginating through IAM Roles (page %d)...", (pageNum + 1)))
 		output, err := paginator.NextPage(context.TODO())
 		if err != nil {
-			logger.Error("Error ocured while paginating through roles", zap.Error(err))
+			logger.Error("Error occurred while paginating through roles", zap.Error(err))
 			return roles, err
 		}
 		roles = append(roles, output.Roles...)
@@ -120,13 +122,13 @@ func removePathFromRoleARN(arn string, path string) string {
 
 // Get AWS account ID
 func getAccountId() (string, error) {
-        logger.Debug("Reading AWS Account ID...")
-        
+	logger.Debug("Reading AWS Account ID...")
+
 	cfg, err := getAWSClientConfig()
 	if err != nil {
 		logger.Fatal("Unable to load SDK config, %v", zap.Error(err))
 	}
-	
+
 	client := sts.NewFromConfig(cfg)
 	if err != nil {
 		logger.Fatal("Unable to load SDK config, %v", zap.Error(err))
@@ -138,7 +140,27 @@ func getAccountId() (string, error) {
 		return "", err
 	}
 
-        logger.Debug(fmt.Sprintf("Retrievied %s as AWS Account ID", *req.Account))
-	
+	logger.Debug(fmt.Sprintf("Retrievied %s as AWS Account ID", *req.Account))
+
 	return *req.Account, nil
 }
+
+func getInstanceRole() string {
+	cfg, err := getAWSClientConfig()
+	if err != nil {
+		logger.Fatal("Unable to load SDK config, %v", zap.Error(err))
+	}
+
+	client := imds.NewFromConfig(cfg)
+	response, err := client.GetMetadata(context.TODO(), &imds.GetMetadataInput{Path: "iam/security-credentials"})
+	if err != nil {
+		logger.Fatal("Unable to retrieve the private IP address from the EC2 instance: %v", zap.Error(err))
+	}
+
+	role, err := io.ReadAll(response.Content)
+	if err != nil {
+		logger.Fatal("Unable to read role name from response: %v", zap.Error(err))
+	}
+
+	return string(role)
+}
diff --git a/go.mod b/go.mod
@@ -3,43 +3,43 @@ module github.com/justinas-b/aws-iam-authenticator-sso-wrapper
 go 1.21
 
 require (
-	github.com/aws/aws-sdk-go-v2 v1.22.2
-	github.com/aws/aws-sdk-go-v2/config v1.22.3
-	github.com/aws/aws-sdk-go-v2/service/iam v1.27.1
-	github.com/aws/aws-sdk-go-v2/service/sts v1.25.1
+	github.com/aws/aws-sdk-go-v2 v1.23.1
+	github.com/aws/aws-sdk-go-v2/config v1.25.5
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.5
+	github.com/aws/aws-sdk-go-v2/service/iam v1.27.3
+	github.com/aws/aws-sdk-go-v2/service/sts v1.25.4
 	go.uber.org/zap v1.26.0
-	golang.org/x/exp v0.0.0-20230905200255-921286631fa9
+	golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa
 	gopkg.in/yaml.v2 v2.4.0
-	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/api v0.28.3
-	k8s.io/apimachinery v0.28.3
-	k8s.io/client-go v0.28.2
+	k8s.io/api v0.28.4
+	k8s.io/apimachinery v0.28.4
+	k8s.io/client-go v0.28.4
 )
 
 require (
-	github.com/aws/aws-sdk-go-v2/credentials v1.15.2 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.3 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.2 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.2 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.5.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.17.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.19.1 // indirect
-	github.com/aws/smithy-go v1.16.0 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.16.4 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.4 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.4 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.7.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.17.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.20.1 // indirect
+	github.com/aws/smithy-go v1.17.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
-	github.com/go-logr/logr v1.2.4 // indirect
-	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-logr/logr v1.3.0 // indirect
+	github.com/go-openapi/jsonpointer v0.20.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/go-openapi/swag v0.22.4 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/uuid v1.3.0 // indirect
-	github.com/imdario/mergo v0.3.6 // indirect
+	github.com/google/uuid v1.4.0 // indirect
+	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
@@ -48,20 +48,21 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	go.uber.org/multierr v1.10.0 // indirect
-	golang.org/x/net v0.17.0 // indirect
-	golang.org/x/oauth2 v0.8.0 // indirect
-	golang.org/x/sys v0.13.0 // indirect
-	golang.org/x/term v0.13.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
-	golang.org/x/time v0.3.0 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.30.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	golang.org/x/net v0.18.0 // indirect
+	golang.org/x/oauth2 v0.14.0 // indirect
+	golang.org/x/sys v0.14.0 // indirect
+	golang.org/x/term v0.14.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/time v0.4.0 // indirect
+	google.golang.org/appengine v1.6.8 // indirect
+	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	k8s.io/klog/v2 v2.100.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
-	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/klog/v2 v2.110.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20231113174909-778a5567bc1e // indirect
+	k8s.io/utils v0.0.0-20231121161247-cf03d44ff3cf // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
-	sigs.k8s.io/yaml v1.3.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )