-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Add option for Role session name to EKS subcommands #8994
base: v2
Are you sure you want to change the base?
[WIP] Add option for Role session name to EKS subcommands #8994
Conversation
@@ -95,6 +95,14 @@ class GetTokenCommand(BasicCommand): | |||
), | |||
'required': False, | |||
}, | |||
{ | |||
'name': 'session-name', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would have preferred to name this option --role-session-name
instead of --session-name
for clarity, but that would mean having two options with names that begin with --role
.
This causes an ambiguity with this section of the file update_kubeconfig.py
, where it adds an option --role
, which normally gets matched to --role-arn
in this file.
To minimize changes and preserve backwards compatibility, I instead use --session-name
for the option.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is consistent with aws-iam-authenticator
s flag name, no objection to the name
@@ -174,6 +175,28 @@ def test_url_with_arn(self): | |||
) | |||
self.assert_url_correct(response, has_session_token=True) | |||
|
|||
def test_url_with_arn_and_session_name(self): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is mostly copied from test_url_with_arn
, with a few minor changes to accomodate the new --session-name
option.
This commit adds a --session-name option to the eks get-token and eks update-kubeconfig commands. Prior to this, when creating a kubeconfig file with eks update-kubeconfig and specifying a --role-arn, there was no way to set a custom Role Session Name. This session name was hardcoded to "EKSGetTokenAuth". Role session names are included in the output of commands like `kubectl auth whoami` and can be used to distinguish users connecting to the EKS cluster that are using the same --role-arn.
464443f
to
2c87cc5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
@@ -95,6 +95,14 @@ class GetTokenCommand(BasicCommand): | |||
), | |||
'required': False, | |||
}, | |||
{ | |||
'name': 'session-name', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is consistent with aws-iam-authenticator
s flag name, no objection to the name
Applying changes recommended by @micahhausler Co-authored-by: Micah Hausler <micahhausler@users.noreply.github.com>
Another open question is whether this should be merged to the |
This PR is a work in progress (WIP)
Issue #, if available: #8976
Description of changes:
This PR adds a
--session-name
flag for theaws eks get-token
andaws eks update-kubeconfig
commands. This flag is meant to be used with--role-arn
to give a custom Role Session Name that overrides the default session name ofEKSGetTokenAuth
.Commit Summary
This commit adds a --session-name option to the eks get-token and eks
update-kubeconfig commands. Prior to this, when creating a kubeconfig
file with eks update-kubeconfig and specifying a --role-arn, there was
no way to set a custom Role Session Name. This session name was
hardcoded to "EKSGetTokenAuth". Role session names are included in the
output of commands like
kubectl auth whoami
and can be used todistinguish users connecting to the EKS cluster that are using the same
--role-arn.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.