Support EKS clusters with IAM creds

[gregdurham]

Looking at ArgoCD, it appears that we cannot set IAM creds per cluster, instead it appears everything is wired through role ARNs. If someone has multiple clusters in multiple distinct AWS accounts, this may prove difficult. Do you have any options available to support this?

[jessesuen]

This should be supported. When adding clusters to Argo CD you can provide --aws-role-arn. This role is the one argo-cd will assume before interfacing with the other cluster. Then the role that Argo CD runs as, must have privileges to assume that specified role, which would need to be whitelisted on the cluster side.

$ argocd cluster add --help
argocd cluster add CONTEXT

Usage:
  argocd cluster add [flags]

Flags:
      --aws-cluster-name string   AWS Cluster name if set then aws-iam-authenticator will be used to access cluster
      --aws-role-arn string       Optional AWS role arn. If set then AWS IAM Authenticator assume a role to perform cluster operations instead of the default AWS credential provider chain.

Under the covers, we simply use the exec auth provider with aws-iam-authenticator, which only has the option to specify the role arn and cluster id:

$ aws-iam-authenticator token --help
Authenticate using AWS IAM and get token for Kubernetes

Usage:
  heptio-authenticator-aws token [flags]

Flags:
  -h, --help          help for token
  -r, --role string   Assume an IAM Role ARN before signing this token

Global Flags:
  -i, --cluster-id ID     Specify the cluster ID, a unique-per-cluster identifier for your heptio-authenticator-aws installation.
  -c, --config filename   Load configuration from filename

[eupestov]

I can confirm it worked at least with 0.12.3

[alexec]

It'd be great to have a guide on how to do this. @eupestov would contributing docs be something you'd be interested in please?

[alexec]

Please re-open if you have more questions.