[FEATURE] Granting access to AWS SSO Users. Terraform Cloud/Enterprise

[ZeroDeth]

Is your feature request related to a problem? Please describe

I'm looking for a way to use the kubernetes provider to update aws-auth.

Normally, when a EKS Cluster is created and only the users who has access to the Cluster can view information in the EKS Console. But if we provide default Kubernetes “View” cluster role, it will not provide the visibility to all the information that can be viewed from the AWS EKS Console view.

AWS SSO uses the AWS IAM Roles to federate the access to the AWS Console for the SSO Users. Therefore, to provide access to AWS SSO users we need to grant access to the respective AWS SSO role created in the AWS IAM Roles. The Roles are mapped under the “mapRoles” section of the AWS-Auth Configmap.

Just using the AWS SSO Role ARN is not working it deviates from the standard AWS IAM Role ARN format. When authenticating AWS IAM roles with the Kubernetes RBAC via AWS IAM-Authenticator, it only considers the standard Role ARN format.

Describe the solution you'd like

TF cloud means that the cluster is created via a role that is assumed by the TF cloud workspace. These TF cloud instances are very limited they do not contain anything besides terraform, there is no kubectl, awscli or shell present and I can't add it.

How can I patch aws-auth using the kubernetes provider?

Describe alternatives you've considered

A Terraform module to manage cluster authentication (aws-auth) for an Elastic Kubernetes (EKS) cluster on AWS.
The terraform-aws-modules/eks/aws v.18.20.0 release has brought back support aws-auth configmap!

Additional context

Useful Links:

• How to provide access to AWS EKS for Users & Roles (AWS IAM/SSO) and View information from the AWS EKS Console.
• aws eks and aws sso RBAC authentication problem
• How do I update aws-auth without using kubectl patch? #1802

Using Terraform version 1.1.7 with Terraform Cloud and Deploy AWS Control Tower Account Factory for Terraform (AFT)

• TFC workspace error

 Error: Unauthorized
with module.eks_0.kubernetes_config_map.aws_auth[0]
on terraform/modules/eks_0/aws-auth-configmap.tfline 1, in resource "kubernetes_config_map" "aws_auth":

resource "kubernetes_config_map" "aws_auth" {

Hint: Running from CLI working fine.

[ZeroDeth]

mapping role of AFT (Account Factory Terraform) working fine, plus using open PR KMS - Additional key admins support #414 ... Please merge!

  mapRoles: |
    - "groups":
      - "system:bootstrappers"
      - "system:nodes"
      "rolearn": "arn:aws:iam::xxxxxxxxxx:role/b7h-tst-01-eks-spot-m5"
      "username": "system:node:{{EC2PrivateDNSName}}"
    - "groups":
      - "system:masters"
      "rolearn": "arn:aws:iam::xxxxxxx:role/AWSAFTExecution"
      "username": "cluster-admin:{{SessionName}}"

[askulkarni2]

Hi @ZeroDeth #414 has been merged.

We have support for patching aws-auth Configmap. Please see https://github.com/aws-ia/terraform-aws-eks-blueprints/blob/main/docs/node-groups.md#additional-iam-roles-users-and-accounts.

Additionally I would also recommend leveraging our Teams feature which lets you configure a PlatformTeam IAM role with admin privileges and ApplicationTeam roles with least privilege access to a dedicated namespace.

I would also recommend adding a +1 to aws/containers-roadmap#185.

Please let us know if these meet your requirements or if you need any additional information.

[ZeroDeth]

Awesome. Thanks @askulkarni2