将 kubectl 与 aws 角色结合使用,只有当底层用户配置文件提供 MFA 时才能承担该角色

问题描述 投票:0回答:1

我正在尝试访问由角色(称为 OwnerRole)拥有的 EKS 集群。要切换到此角色,授权用户必须使用 MFA 进行身份验证。

以下是我系统中的相关配置: .aws/配置

[profile AuthorizedUser]
    region = us-east-1
    output = json
    mfa_serial = <ARN of the user's MFA device>

[profile RoleProfileUsedByKubectl]
    source_profile = AuthorizedUser
    role_arn = <ARN of the OwnerRole role>

这是 kubectl 配置的相关部分

- name: <username in context>
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - --region
      - us-east-1
      - eks
      - get-token
      - --cluster-name
      - <name of the cluster>
      command: aws
      env:
      - name: AWS_PROFILE
        value: RoleProfileUsedByKubectl
      interactiveMode: IfAvailable
      provideClusterInfo: false

然而,这就是正在发生的事情。

当我跑步时:

$ kubectl config use-context <context name>
Switched to context "<context name>"
$
$ kubectl get po -A
An error occurred (AccessDenied) when calling the AssumeRole operation: User: <user ARN> is not authorized to perform: sts:AssumeRole on resource: <role ARN>
....
<repeat 4 more times>
....
Unable to connect to the server: getting credentials: exec: executable aws failed with exit code 254

我认为这是因为当我切换上下文时,它应该首先使用 AuthorizedUser 配置文件并向我询问 MFA 令牌,但事实并非如此。因此,它只是以没有 MFA 令牌的 AuthorizedUser 身份登录,并尝试承担 OwnerRole - 由于缺乏 MFA,该角色被拒绝。

但是,如果我如下稍微调整 .aws 配置(将 mfa_serial 的位置更改为角色配置文件),至少 AWS 命令可以工作,但 kubectl 不行:

[profile AuthorizedUser]
    region = us-east-1
    output = json

[profile RoleProfileUsedByKubectl]
    source_profile = AuthorizedUser
    mfa_serial = <ARN of the user's MFA device>
    role_arn = <ARN of the OwnerRole role>

$ aws eks list-nodegroups --cluster-name <cluster name> --region us-east-1 --profile RoleProfileUsedByKubectl
Enter MFA code for <MFA ARN>: 
{
    "nodegroups": [
        "<node group name list>"
    ]
}
$
$ kubectl get po -A
Unable to connect to the server: dial tcp 172.16.88.123:443: i/o timeout
$

这可能是因为防火墙或安全组阻止了 kubectl 的访问吗?请指教。

amazon-web-services command-line-interface kubectl amazon-eks
1个回答
0
投票

这最终对我有用:

.kube/config

users:
- name: <username listed in context>
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - --region
      - us-east-1
      - eks
      - get-token
      - --cluster-name
      - <clustername>
      command: aws
      env:
      - name: AWS_PROFILE
        value: <aws_profile_name>
      interactiveMode: IfAvailable
      provideClusterInfo: false

.aws/config

[profile <base_profile>]
    region = us-east-1
    output = json

[profile <aws_profile_name>]
    source_profile = <base_profile> 
    mfa_serial = <arn of mfa>
    role_arn = <arn of target role that needs mfa>
    role_session_name = <optional_but_easy_to_identify_in_logs>

现在,每次我尝试切换上下文时,它都会提示我进行 MFA 并顺利切换。

© www.soinside.com 2019 - 2024. All rights reserved.