diff --git a/Gopkg.lock b/Gopkg.lock index c7e79ebc8e..26ee13dd89 100644 --- a/Gopkg.lock +++ b/Gopkg.lock @@ -147,8 +147,8 @@ "pkg/server", "pkg/token" ] - revision = "8c9b1bda7458aea47cd1917534f2222f80627c58" - version = "v0.3.0" + revision = "d9bfef19b2b89518465d4fd0bc9a75bd4a8b715e" + source = "github.com/heptio/aws-iam-authenticator" [[projects]] branch = "master" @@ -544,6 +544,6 @@ [solve-meta] analyzer-name = "dep" analyzer-version = 1 - inputs-digest = "9e6c54d783f10a30d4deb94f571e33e30cb2ebc55579db7932843651893d1483" + inputs-digest = "89cc0e2122796aeec35b7e0fcbd2a828819a8d950a7448d7d48e95e3028410a3" solver-name = "gps-cdcl" solver-version = 1 diff --git a/Gopkg.toml b/Gopkg.toml index c6e5c7704b..98e7921b3c 100644 --- a/Gopkg.toml +++ b/Gopkg.toml @@ -34,9 +34,10 @@ required = [ name = "k8s.io/kops" version = "1.9.1" -[[constraint]] - version = "v0.3.0" +[[override]] name = "github.com/heptio/authenticator" + source = "github.com/heptio/aws-iam-authenticator" + revision = "d9bfef19b2b89518465d4fd0bc9a75bd4a8b715e" [[constraint]] name = "k8s.io/client-go" diff --git a/pkg/eks/auth.go b/pkg/eks/auth.go index 4f09eb0aef..754ce6769c 100644 --- a/pkg/eks/auth.go +++ b/pkg/eks/auth.go @@ -10,6 +10,7 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/service/ec2" + "github.com/aws/aws-sdk-go/service/sts" "github.com/heptio/authenticator/pkg/token" "github.com/kubicorn/kubicorn/pkg/logger" @@ -78,6 +79,7 @@ type ClientConfig struct { Client *clientcmdapi.Config Cluster *ClusterConfig roleARN string + sts *sts.STS } // based on "k8s.io/kubernetes/cmd/kubeadm/app/util/kubeconfig" @@ -107,14 +109,15 @@ func (c *ClusterProvider) NewClientConfig() (*ClientConfig, error) { CurrentContext: contextName, }, roleARN: c.svc.arn, + sts: c.svc.sts, } return clientConfig, nil } func (c *ClientConfig) WithExecHeptioAuthenticator() *ClientConfig { - clientConfigCopy := *c + x := clientConfigCopy.Client.AuthInfos[c.Client.CurrentContext] x.Exec = &clientcmdapi.ExecConfig{ APIVersion: "client.authentication.k8s.io/v1alpha1", @@ -141,14 +144,7 @@ func (c *ClientConfig) WithEmbeddedToken() (*ClientConfig, error) { return nil, errors.Wrap(err, "could not get token generator") } - // could not get token: AccessDenied: User is not authorized to perform: sts:AssumeRole on resource: - /* - tok, err := gen.GetWithRole(c.Cluster.ClusterName, c.roleARN) - if err != nil { - return nil, errors.Wrap(err, "could not get token") - } - */ - tok, err := gen.Get(c.Cluster.ClusterName) + tok, err := gen.GetWithSTS(c.Cluster.ClusterName, c.sts) if err != nil { return nil, errors.Wrap(err, "could not get token") } diff --git a/vendor/github.com/heptio/authenticator/pkg/token/token.go b/vendor/github.com/heptio/authenticator/pkg/token/token.go index b90e5c84c2..9924382162 100644 --- a/vendor/github.com/heptio/authenticator/pkg/token/token.go +++ b/vendor/github.com/heptio/authenticator/pkg/token/token.go @@ -128,6 +128,10 @@ type Generator interface { Get(string) (string, error) // GetWithRole creates a token by assuming the provided role, using the credentials in the default chain. GetWithRole(clusterID, roleARN string) (string, error) + // GetWithRoleForSession creates a token by assuming the provided role, using the provided session. + GetWithRoleForSession(clusterID string, roleARN string, sess *session.Session) (string, error) + // GetWithSTS assumes returns a token valid for clusterID using the given STS client. + GetWithSTS(clusterID string, stsAPI *sts.STS) (string, error) // FormatJSON returns the client auth formatted json for the ExecCredential auth FormatJSON(string) string } @@ -166,6 +170,12 @@ func (g generator) GetWithRole(clusterID string, roleARN string) (string, error) return "", fmt.Errorf("could not create session: %v", err) } + return g.GetWithRoleForSession(clusterID, roleARN, sess) +} + +// GetWithRole assumes the given AWS IAM role for the given session and behaves +// like GetWithRole. +func (g generator) GetWithRoleForSession(clusterID string, roleARN string, sess *session.Session) (string, error) { // use an STS client based on the direct credentials stsAPI := sts.New(sess) @@ -179,6 +189,11 @@ func (g generator) GetWithRole(clusterID string, roleARN string) (string, error) stsAPI = sts.New(sess, &aws.Config{Credentials: creds}) } + return g.GetWithSTS(clusterID, stsAPI) +} + +// GetWithSTS assumes returns a token valid for clusterID using the given STS client. +func (g generator) GetWithSTS(clusterID string, stsAPI *sts.STS) (string, error) { // generate an sts:GetCallerIdentity request and add our custom cluster ID header request, _ := stsAPI.GetCallerIdentityRequest(&sts.GetCallerIdentityInput{}) request.HTTPRequest.Header.Add(clusterIDHeader, clusterID)