MCPcopy
hub / github.com/kubernetes-sigs/aws-iam-authenticator

github.com/kubernetes-sigs/aws-iam-authenticator @v0.7.18 sqlite

repository ↗ · DeepWiki ↗ · release v0.7.18 ↗
592 symbols 2,081 edges 91 files 262 documented · 44%
README

AWS IAM Authenticator for Kubernetes

A tool to use AWS IAM credentials to authenticate to a Kubernetes cluster. The initial work on this tool was driven by Heptio. The project receives contributions from multiple community engineers and is currently maintained by Heptio and Amazon EKS OSS Engineers.

Table of Contents

Why do I want this?

If you are an administrator running a Kubernetes cluster on AWS, you already need to manage AWS IAM credentials to provision and update the cluster. By using AWS IAM Authenticator for Kubernetes, you avoid having to manage a separate credential for Kubernetes access. AWS IAM also provides a number of nice properties such as an out of band audit trail (via CloudTrail) and 2FA/MFA enforcement.

If you are building a Kubernetes installer on AWS, AWS IAM Authenticator for Kubernetes can simplify your bootstrap process. You won't need to somehow smuggle your initial admin credential securely out of your newly installed cluster. Instead, you can create a dedicated KubernetesAdmin role at cluster provisioning time and set up Authenticator to allow cluster administrator logins.

How do I use it?

Assuming you have a cluster running in AWS and you want to add AWS IAM Authenticator for Kubernetes support, you need to: 1. Create an IAM role you'll use to identify users. 2. Run the Authenticator server as a DaemonSet. 3. Configure your API server to talk to Authenticator. 4. Set up kubectl to use Authenticator tokens.

1. Create an IAM role

First, you must create one or more IAM roles that will be mapped to users/groups inside your Kubernetes cluster. The easiest way to do this is to log into the AWS Console: - Choose the "Role for cross-account access" / "Provide access between AWS accounts you own" option. - Paste in your AWS account ID number (available in the top right in the console). - Your role does not need any additional policies attached.

This will create an IAM role with no permissions that can be assumed by authorized users/roles in your account. Note the Amazon Resource Name (ARN) of your role, which you will need below.

You can also do this in a single step using the AWS CLI instead of the AWS Console:

# get your account ID
ACCOUNT_ID=$(aws sts get-caller-identity --output text --query 'Account')

# define a role trust policy that opens the role to users in your account (limited by IAM policy)
POLICY=$(echo -n '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::'; echo -n "$ACCOUNT_ID"; echo -n ':root"},"Action":"sts:AssumeRole","Condition":{}}]}')

# create a role named KubernetesAdmin (will print the new role's ARN)
aws iam create-role \
  --role-name KubernetesAdmin \
  --description "Kubernetes administrator role (for AWS IAM Authenticator for Kubernetes)." \
  --assume-role-policy-document "$POLICY" \
  --output text \
  --query 'Role.Arn'

You can also skip this step and use: - An existing role (such as a cross-account access role). - An IAM user (see mapUsers below). - An EC2 instance or a federated role (see mapRoles below).

2. Run the server

The server is meant to run on each of your master nodes as a DaemonSet with host networking so it can expose a localhost port.

For a sample ConfigMap and DaemonSet configuration, see deploy/example.yaml. Before applying it, update these values for your cluster: - Replace placeholder IAM ARNs (arn:aws:iam::000000000000:...) in config.yaml. - Set clusterID to a unique value for your cluster. - Verify the DaemonSet scheduling rules match your control-plane node labels/taints.

Then deploy it:

kubectl apply -f deploy/example.yaml
kubectl -n kube-system rollout status daemonset/aws-iam-authenticator
kubectl -n kube-system get pods -l k8s-app=aws-iam-authenticator

Once the pod is running on a control-plane node, the aws-iam-authenticator server will create the webhook kubeconfig on the host at /etc/kubernetes/aws-iam-authenticator/kubeconfig.yaml (or the path configured via --generate-kubeconfig).

(Optional) Pre-generate a certificate, key, and kubeconfig

If you're building an automated installer, you can also pre-generate the certificate, key, and webhook kubeconfig files easily using aws-iam-authenticator init. This command will generate files and place them in the configured output directories.

You can run this on each master node prior to starting the API server. You could also generate them before provisioning master nodes and install them in the appropriate host paths.

If you do not pre-generate files, aws-iam-authenticator server will generate them on demand. This works but requires that you restart your Kubernetes API server after installation.

3. Configure your API server to talk to the server

The Kubernetes API integrates with AWS IAM Authenticator for Kubernetes using a token authentication webhook. When you run aws-iam-authenticator server, it will generate a webhook configuration file and save it onto the host filesystem. You'll need to add a single additional flag to your API server configuration:

--authentication-token-webhook-config-file=/etc/kubernetes/aws-iam-authenticator/kubeconfig.yaml

On many clusters, the API server runs as a static pod. You can add the flag to /etc/kubernetes/manifests/kube-apiserver.yaml. Make sure the host directory /etc/kubernetes/aws-iam-authenticator/ is mounted into your API server pod. You may also need to restart the kubelet daemon on your master node to pick up the updated static pod definition:

systemctl restart kubelet.service

4. Create IAM role/user to kubernetes user/group mappings

The default behavior of the server is to source mappings exclusively from the mapUsers and mapRoles fields of its configuration file. See Full Configuration Format below for details.

Using the --backend-mode flag, you can configure the server to source mappings from two additional backends: an EKS-style ConfigMap (--backend-mode=EKSConfigMap) or IAMIdentityMapping custom resources (--backend-mode=CRD). The default backend, the server configuration file that's mounted by the server pod, corresponds to --backend-mode=MountedFile.

You can pass a comma-separated list of these backends to have the server search them in order. For example, with --backend-mode=EKSConfigMap,MountedFile, the server will search the EKS-style ConfigMap for mappings then, if it doesn't find a mapping for the given IAM role/user, the server configuration file. If a mapping for the same IAM role/user exists in multiple backends, the server will use the mapping in the backend that occurs first in the comma-separated list. In this example, if a mapping is found in the EKS ConfigMap then it will be used whether or not a duplicate or conflicting mapping exists in the server configuration file.

Note that when setting a single backend, the server will only source from that one and ignore the others even if they exist. For example, with --backend-mode=CRD, the server will only source from IAMIdentityMappings and ignore the mounted file and EKS ConfigMap.

MountedFile

This is the default backend of mappings and sufficient for most users. See Full Configuration Format below for details.

CRD (alpha)

This backend models each IAM mapping as an IAMIdentityMapping Kubernetes Custom Resource. This approach enables you to maintain mappings in a Kubernetes-native way using kubectl or the API. Plus, syntax errors (like misaligned YAML) can be more easily caught and won't affect all mappings.

To setup an IAMIdentityMapping CRD you'll first need to apply the CRD manifest:

kubectl apply -f deploy/iamidentitymapping.yaml

With the CRDs deployed you can then create Custom Resources which model your IAM Identities. See ./deploy/example-iamidentitymapping.yaml:

---
apiVersion: iamauthenticator.k8s.aws/v1alpha1
kind: IAMIdentityMapping
metadata:
  name: kubernetes-admin
spec:
  # Arn of the User or Role to be allowed to authenticate
  arn: arn:aws:iam::XXXXXXXXXXXX:user/KubernetesAdmin
  # Username that Kubernetes will see the user as, this is useful for setting
  # up allowed specific permissions for different users
  username: kubernetes-admin
  # Groups to be attached to your users/roles. For example `system:masters` to
  # create cluster admin, or `system:nodes`, `system:bootstrappers` for nodes to
  # access the API server.
  groups:
  - system:masters

EKSConfigMap

The EKS-style kube-system/aws-auth ConfigMap serves as the backend. The ConfigMap is expected to be in exactly the same format as in EKS clusters: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html. This is useful if you're migrating from/to EKS and want to keep your mappings, or are running EKS in addition to some other AWS cluster(s) and want to have the same mappings in each.

DynamicFile

A local file specified by cfg.dynamicfilepath can serve as the backend. The file content is expected to be in exactly the same format as the EKSConfigMap. Whenever this file content changes, authenticator will automatically reload it. This provides more flexibility on managing the ARN mappings.

Check https://github.com/kubernetes-sigs/aws-iam-authenticator/blob/master/hack/dev/authenticator_with_dynamicfile_mode.yaml about how to configure the DynamicFile mode.

Run make e2e RUNNER=kind to play with a kind cluster with DynamicFile mode enable.

5. How to configure reservedPrefixConfig for Kubernetes usernames

The aws-iam-authenticator can support reserved prefix for k8s username. If the reserved prefix is set, then the username with the reserved prefix will not be authenticated with the error "username must not begin with with the following prefixes:".

Check https://github.com/kubernetes-sigs/aws-iam-authenticator/blob/master/hack/dev/authenticator_with_dynamicfile_mode.yaml about how to configure the reserved prefix.

6. Set up kubectl to use authentication tokens provided by AWS IAM Authenticator for Kubernetes

Finally, once the server is set up you'll want to authenticate. You will still need a kubeconfig that has the public data about your cluster (cluster CA certificate, endpoint address). The users section of your configuration, however, should include an exec section (refer to the kubectl credential plugin docs):

# [...]
users:
- name: kubernetes-admin
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      command: aws-iam-authenticator
      args:
        - "token"
        - "-i"
        - "REPLACE_ME_WITH_YOUR_CLUSTER_ID"
        - "-r"
        - "REPLACE_ME_WITH_YOUR_ROLE_ARN"
  # no client certificate/key needed here!

This means the kubeconfig is entirely public data and can be shared across all Authenticator users. It may make sense to upload it to a trusted public location such as AWS S3.

Make sure you have the aws-iam-authenticator binary installed. You can install it with go install sigs.k8s.io/aws-iam-authenticator/cmd/aws-iam-authenticator@latest.

To authenticate, run kubectl --kubeconfig /path/to/kubeconfig" [...]. kubectl will exec the aws-iam-authenticator binary with the supplied params in your kubeconfig which will generate a token and pass it to the apiserver. The token is valid for 15 minutes (the shortest value AWS permits) and can be reused multiple times.

You can also specify session name when generating the token by including --session-name or -s parameter. This parameter cannot be used along with --forward-session-name.

You can also omit -r ROLE_ARN to sign the token with your existing credentials without assuming a dedicated role. This is useful if you want to authenticate as an IAM user directly or if you want to authenticate using an EC2 instance role or a federated role.

Kops Usage

Clusters managed by Kops can be configured to use Authenticator. For usage instructions see the Kops documentation.

How does it work?

It works using the AWS sts:GetCallerIdentity API endpoint. This endpoint returns information about whatever AWS IAM credentials you use to connect to it.

Client side (aws-iam-authenticator token)

We use this API in a somewhat unusual way by having the Authenticator client generate and pre-sign a request to the endpoint. We serialize that request into a token that can pass through the Kubernetes authentication system.

Server side (aws-iam-authenticator server)

The token is passed through the Kubernetes API server and into the Authenticator server's /authenticate endpoint via a webhook configuration. The Authenticator server validates all the parameters of the pre-signed request to make sure nothing looks funny. It then submits th

Extension points exported contracts — how you extend this code

Mapper (Interface)
Mapper is the interface implemented by all IAM identity mapping backends. [4 implementers]
pkg/mapper/mapper.go
FileChangeCallBack (Interface)
FileChangeCallBack defines callbacks invoked when a watched file changes or is deleted. [3 implementers]
pkg/fileutil/util.go
Verifier (Interface)
Verifier validates tokens by calling STS and returning the associated identity. [2 implementers]
pkg/token/token.go
EC2Provider (Interface)
EC2Provider looks up EC2 instance details by instance ID. [2 implementers]
pkg/ec2provider/ec2provider.go
FileLocker (Interface)
FileLocker is a subset of the methods exposed by *flock.Flock [1 implementers]
pkg/filecache/filecache.go
Client (Interface)
Client defines configmap client methods. [1 implementers]
pkg/mapper/configmap/client/client.go
Generator (Interface)
Generator provides new tokens for the AWS IAM Authenticator. [1 implementers]
pkg/token/token.go
EC2API (Interface)
EC2API defines the interface for EC2 client operations [1 implementers]
pkg/ec2provider/ec2provider.go

Core symbols most depended-on inside this repo

Error
called by 48
pkg/token/token.go
authenticateEndpoint
called by 24
pkg/server/server.go
Unlock
called by 23
pkg/filecache/filecache.go
Get
called by 21
pkg/metrics/metrics.go
Name
called by 15
pkg/mapper/mapper.go
Close
called by 15
pkg/server/server.go
Run
called by 14
pkg/server/server.go
NewFileCacheProvider
called by 14
pkg/filecache/filecache.go

Shape

Function 285
Method 203
Struct 78
Interface 21
FuncType 4
TypeAlias 1

Languages

Go100%

Modules by API surface

pkg/server/server_test.go42 symbols
pkg/token/token.go38 symbols
pkg/token/token_test.go37 symbols
pkg/filecache/filecache_test.go34 symbols
pkg/filecache/filecache.go22 symbols
pkg/mapper/crd/generated/informers/externalversions/factory.go21 symbols
pkg/ec2provider/ec2provider.go21 symbols
pkg/server/server.go17 symbols
pkg/mapper/configmap/configmap_test.go15 symbols
pkg/mapper/crd/generated/clientset/versioned/typed/iamauthenticator/v1alpha1/iamidentitymapping.go14 symbols
pkg/mapper/dynamicfile/dynamicfile_test.go13 symbols
pkg/ec2provider/ec2provider_test.go13 symbols

Used by 2 indexed graphs manifest dependencies, hub-wide

Dependencies from manifests, versioned

github.com/Masterminds/semver/v3v3.4.0 · 1×
github.com/aws/aws-sdk-go-v2v1.41.5 · 1×
github.com/aws/aws-sdk-go-v2/configv1.32.14 · 1×
github.com/aws/aws-sdk-go-v2/credentialsv1.19.14 · 1×
github.com/aws/aws-sdk-go-v2/feature/ec2/imdsv1.18.21 · 1×
github.com/aws/aws-sdk-go-v2/internal/configsourcesv1.4.21 · 1×
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2v2.7.21 · 1×
github.com/aws/aws-sdk-go-v2/internal/iniv1.8.6 · 1×
github.com/aws/aws-sdk-go-v2/service/ec2v1.296.2 · 1×
github.com/aws/aws-sdk-go-v2/service/internal/accept-encodingv1.13.7 · 1×
github.com/aws/aws-sdk-go-v2/service/internal/presigned-urlv1.13.21 · 1×
github.com/aws/aws-sdk-go-v2/service/signinv1.0.9 · 1×

For agents

$ claude mcp add aws-iam-authenticator \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact