User Pools are easy to set up without any worries about standing up server infrastructure.
Cognito User Pools provide a secure user directory that scales to millions of users. In this post, we’ll use Amazon Cognito as our OIDC compatible identity provider. This feature will help you use existing user management workflows in OIDC IDP to use Amazon EKS. Many development teams don’t have administrative access to AWS, and creating an IAM user or role for each developer can be a time consuming task that doesn’t scale well. As EKS adoption has grown to include customers of all sizes and technical capabilities, we learned from your feedback that if your organization has an existing identity management system, you would prefer to use your own OIDC identity provider instead of using AWS IAM for Amazon EKS ( AWS containers roadmap issue #166). When we launched Amazon EKS in 2018, we included native support for AWS IAM users and roles as entities that can authenticate against a cluster, removing the burden from cluster administrators of having to maintain a separate identity provider to manage users. See OpenID Certification for a list of certified providers. You can use an existing public OIDC identity provider, or you can run your own identity provider. It adds a thin layer that sits on top of OAuth 2.0 that adds login and profile information about the identity who is logged in. OpenID Connect is an interoperable authentication protocol based on the OAuth 2.0 family of specifications.
With this feature, you can manage user access to your cluster by leveraging existing identity management life cycle through your OIDC identity provider. The OIDC IDP can be used as an alternative to, or along with AWS Identity and Access Management (IAM). This feature allows customers to integrate an OIDC identity provider with a new or existing Amazon EKS cluster running Kubernetes version 1.16 or later. Kubeconfig possible api versions: v1beta1Īuth plugin: aws-iam-authenticator version >=0.5.Today, we introduced user authentication for Amazon EKS clusters from an OpenID Connect (OIDC) Identity Provider (IDP). Possible auth plugins: aws-iam-authenticator The API version which is listed in your kubeconfig.The auth plugin you are using in your kubeconfig and its version.Auth plugin aws-iam-authenticator version =v0.5.4 uses /v1beta1īased on our conditions, there are 3 variables at play and their combination can either make or break your pipeline.Auth plugin aws eks get-token uses only /v1alpha1 currently.If kubectl is of version 1.24 or higher, it does not support /v1alpha1.There are currently 3 versions of : /v1alpha1, /v1beta1 and /v1 The API version which is listed in the kubeconfig.The API version returned by the auth plugin.
There are 2 API versions (the versions to use when decoding the ExecCredentials resource) which need to match. kubectl has to support the API version to use when decoding the ExecCredentials resourceī. If you just want to see all possible options, skip to 'Summary of all possible options' (all options are made possible by Patch-2 for kubectl version ENV #20 and are now supported by this action, so if you agree this issue can be successfully closed)Ī.To whomever stumbles upon this issue and is still confused about what to do
#AWS IAM AUTHENTICATOR INSTALL#
The alternative of course will be to explicitly install kubectl with a lower version than 1.24 This is why I proposed #19 where the aws-iam-authenticator is updated to 0.5.7 to be able to use this action with new versions of kubectl via aws-iam-authenticator. This action uses aws-iam-authenticator version 0.5.3, which outputs ExecCredentials with apiVersion /v1alpha1, and so it means that this github action is currently broken unless I am missing something. This means that unfortunately the easiest way of automatically generating the kubeconfig file used by this action via aws eks update-kubeconfig will not work because it always outputs ExecCredentials with apiVersion /v1alpha1 (tested with aws-cli 2.6.1).Īs previously discussed, we are left with aws-iam-authenticator version 0.5.5 and up which outputs ExecCredentials with apiVersion /v1beta1. Thank you for bringing up the fact that kubectl version 1.24 is the root cause of the problem because it does not support /v1alpha1 (I tested it and confirmed).
0 kommentar(er)
