[WIP] Add option for Role session name to EKS subcommands #8994
Conversation
| @@ -95,6 +95,14 @@ class GetTokenCommand(BasicCommand): | |||
| ), | |||
| 'required': False, | |||
| }, | |||
| { | |||
| 'name': 'session-name', | |||
There was a problem hiding this comment.
I would have preferred to name this option --role-session-name instead of --session-name for clarity, but that would mean having two options with names that begin with --role.
This causes an ambiguity with this section of the file update_kubeconfig.py, where it adds an option --role, which normally gets matched to --role-arn in this file.
To minimize changes and preserve backwards compatibility, I instead use --session-name for the option.
There was a problem hiding this comment.
This is consistent with aws-iam-authenticators flag name, no objection to the name
| @@ -174,6 +175,28 @@ def test_url_with_arn(self): | |||
| ) | |||
| self.assert_url_correct(response, has_session_token=True) | |||
|
|
|||
| def test_url_with_arn_and_session_name(self): | |||
There was a problem hiding this comment.
This is mostly copied from test_url_with_arn, with a few minor changes to accomodate the new --session-name option.
This commit adds a --session-name option to the eks get-token and eks update-kubeconfig commands. Prior to this, when creating a kubeconfig file with eks update-kubeconfig and specifying a --role-arn, there was no way to set a custom Role Session Name. This session name was hardcoded to "EKSGetTokenAuth". Role session names are included in the output of commands like `kubectl auth whoami` and can be used to distinguish users connecting to the EKS cluster that are using the same --role-arn.
murshed-panorama
force-pushed
the
eks/role_session_name_option_v2
branch
from
464443f
to
2c87cc5
Compare
| @@ -95,6 +95,14 @@ class GetTokenCommand(BasicCommand): | |||
| ), | |||
| 'required': False, | |||
| }, | |||
| { | |||
| 'name': 'session-name', | |||
There was a problem hiding this comment.
This is consistent with aws-iam-authenticators flag name, no objection to the name
Applying changes recommended by @micahhausler Co-authored-by: Micah Hausler <[email protected]>
|
Another open question is whether this should be merged to the |
This PR is a work in progress (WIP)
Issue #, if available: #8976
Description of changes:
This PR adds a
--session-nameflag for theaws eks get-tokenandaws eks update-kubeconfigcommands. This flag is meant to be used with--role-arnto give a custom Role Session Name that overrides the default session name ofEKSGetTokenAuth.Commit Summary
This commit adds a --session-name option to the eks get-token and eks
update-kubeconfig commands. Prior to this, when creating a kubeconfig
file with eks update-kubeconfig and specifying a --role-arn, there was
no way to set a custom Role Session Name. This session name was
hardcoded to "EKSGetTokenAuth". Role session names are included in the
output of commands like
kubectl auth whoamiand can be used todistinguish users connecting to the EKS cluster that are using the same
--role-arn.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.