-
Notifications
You must be signed in to change notification settings - Fork 423
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error matching iam role when role uses a path #98
Comments
Thanks @scyellleader. Under the hood this is how the ARNs work the We don't have specificity on the STS side to validate a specific prefix cause they can be anything. |
This looks like a bug with role arns involving paths when mapping the assumed-role -> role. The code is only taking the first part after assumed-role. This should probably by https://github.com/heptio/authenticator/blob/master/pkg/arn/arn.go#L42 |
@mattlandis yes, that looks correct to me. You just need to drop the first and last index for the parts array to be left with the full path and role. That should also cover if the path has multiple slashes. Thanks for finding the bug! |
This cost me about a day's worth of work when trying to configure Codebuild to run commands on an EKS cluster. To allow a role to access a kubernetes cluster on EKS, you need to pass a I'm sure there's some history to why this is the case, but to my mind this is an unacceptable bug and, if nothing else, deserves to be documented very clearly in multiple places, especially in IAM docs. |
I agree with @MarkPare , I had inverted 2 days deploying a EKS cluster in Landing Zone without success and the problem was my instances roles had a path in the ARN. In my comnpany this is a requirement because we group our IAM Roles in path for security reasons. Regards |
I wasted about a week on this bug. |
Aaaaand I just found this out. Good 48 hours spent on this. 🤦♂ Is the correct approach here to put the roles in the |
Yes, you can just remove the path in the ConfigMap and it will all work as expected. |
I wasted few hours when moved a cluster from non path to path based role. stumbled upon this thread....Thanks |
Sam here. Just lost 6 hours to this inconsistency :( |
I'm having a problem getting the iam roles to match when the assumed role contains a path.
Non Working ConfigMap:
Working ConfigMap:
As you can see from the non-working and working comparison I have to trim out the iam path to get the authentication to work. (arn:aws:iam::000000000000:role/roles/SomeRole vs arn:aws:iam::000000000000:role/SomeRole) Technically on AWS side the arn with the trimmed path is not the same role.
The text was updated successfully, but these errors were encountered: