sumanthkumarc · June 10, 2022 06:09
diff --git a/aws-auth-definition.yaml b/aws-auth-definition.yaml
 # each mapRoles entry maps an IAM role to a username and set of groups
 # Each username and group can optionally contain template parameters:
 #  1) "{{AccountID}}" is the 12 digit AWS ID.
 #  2) "{{SessionName}}" is the role session name, with `@` characters
 #     transliterated to `-` characters.
 #  3) "{{SessionNameRaw}}" is the role session name, without character
 #     transliteration (available in version >= 0.5).
 mapRoles:
 # statically map arn:aws:iam::000000000000:role/KubernetesAdmin to cluster admin
 - roleARN: arn:aws:iam::000000000000:role/KubernetesAdmin
  username: kubernetes-admin
  groups:
  - system:masters

 # map EC2 instances in my "KubernetesNode" role to users like
 # "aws:000000000000:instance:i-0123456789abcdef0". Only use this if you
 # trust that the role can only be assumed by EC2 instances. If an IAM user
 # can assume this role directly (with sts:AssumeRole) they can control
 # SessionName.
 - roleARN: arn:aws:iam::000000000000:role/KubernetesNode
  username: aws:{{AccountID}}:instance:{{SessionName}}
  groups:
  - system:bootstrappers
  - aws:instances

 # map nodes that should conform to the username "system:node:<private-DNS>".  This
 # requires the authenticator to query the EC2 API in order to discover the private
 # DNS of the EC2 instance originating the authentication request.  Optionally, you
 # may specify a role that should be assumed before querying the EC2 API with the
 # key "server.ec2DescribeInstancesRoleARN" (see above).
 - roleARN: arn:aws:iam::000000000000:role/KubernetesNode
  username: system:node:{{EC2PrivateDNSName}}
  groups:
  - system:nodes
  - system:bootstrappers

 # map federated users in my "KubernetesAdmin" role to users like
 # "admin:alice-example.com". The SessionName is an arbitrary role name
 # like an e-mail address passed by the identity provider. Note that if this
 # role is assumed directly by an IAM User (not via federation), the user
 # can control the SessionName.
 - roleARN: arn:aws:iam::000000000000:role/KubernetesAdmin
  username: admin:{{SessionName}}
  groups:
  - system:masters

 # map federated users in my "KubernetesOtherAdmin" role to users like
 # "alice-example.com". The SessionName is an arbitrary role name
 # like an e-mail address passed by the identity provider. Note that if this
 # role is assumed directly by an IAM User (not via federation), the user
 # can control the SessionName.  Note that the "{{SessionName}}" macro is
 # quoted to ensure it is properly parsed as a string.
 - roleARN: arn:aws:iam::000000000000:role/KubernetesOtherAdmin
  username: "{{SessionName}}"
  groups:
  - system:masters

 # If unalterable identification of an IAM User is desirable, you can map against
 # AccessKeyID.
 - roleARN: arn:aws:iam::000000000000:role/KubernetesOtherAdmin
  username: "admin:{{AccessKeyID}}"
  groups:
  - system:masters

 # each mapUsers entry maps an IAM role to a static username and set of groups
 mapUsers:
 # map user IAM user Alice in 000000000000 to user "alice" in group "system:masters"
 - userARN: arn:aws:iam::000000000000:user/Alice
  username: alice
  groups:
  - system:masters

 # automatically map IAM ARN from these accounts to username.
 # NOTE: Always use quotes to avoid the account numbers being recognized as numbers
 # instead of strings by the yaml parser.
 mapAccounts:
 - "012345678901"
 - "456789012345"
	# each mapRoles entry maps an IAM role to a username and set of groups
	# Each username and group can optionally contain template parameters:
	# 1) "{{AccountID}}" is the 12 digit AWS ID.
	# 2) "{{SessionName}}" is the role session name, with `@` characters
	# transliterated to `-` characters.
	# 3) "{{SessionNameRaw}}" is the role session name, without character
	# transliteration (available in version >= 0.5).
	mapRoles:
	# statically map arn:aws:iam::000000000000:role/KubernetesAdmin to cluster admin
	- roleARN: arn:aws:iam::000000000000:role/KubernetesAdmin
	username: kubernetes-admin
	groups:
	- system:masters

	# map EC2 instances in my "KubernetesNode" role to users like
	# "aws:000000000000:instance:i-0123456789abcdef0". Only use this if you
	# trust that the role can only be assumed by EC2 instances. If an IAM user
	# can assume this role directly (with sts:AssumeRole) they can control
	# SessionName.
	- roleARN: arn:aws:iam::000000000000:role/KubernetesNode
	username: aws:{{AccountID}}:instance:{{SessionName}}
	groups:
	- system:bootstrappers
	- aws:instances

	# map nodes that should conform to the username "system:node:<private-DNS>". This
	# requires the authenticator to query the EC2 API in order to discover the private
	# DNS of the EC2 instance originating the authentication request. Optionally, you
	# may specify a role that should be assumed before querying the EC2 API with the
	# key "server.ec2DescribeInstancesRoleARN" (see above).
	- roleARN: arn:aws:iam::000000000000:role/KubernetesNode
	username: system:node:{{EC2PrivateDNSName}}
	groups:
	- system:nodes
	- system:bootstrappers

	# map federated users in my "KubernetesAdmin" role to users like
	# "admin:alice-example.com". The SessionName is an arbitrary role name
	# like an e-mail address passed by the identity provider. Note that if this
	# role is assumed directly by an IAM User (not via federation), the user
	# can control the SessionName.
	- roleARN: arn:aws:iam::000000000000:role/KubernetesAdmin
	username: admin:{{SessionName}}
	groups:
	- system:masters

	# map federated users in my "KubernetesOtherAdmin" role to users like
	# "alice-example.com". The SessionName is an arbitrary role name
	# like an e-mail address passed by the identity provider. Note that if this
	# role is assumed directly by an IAM User (not via federation), the user
	# can control the SessionName. Note that the "{{SessionName}}" macro is
	# quoted to ensure it is properly parsed as a string.
	- roleARN: arn:aws:iam::000000000000:role/KubernetesOtherAdmin
	username: "{{SessionName}}"
	groups:
	- system:masters

	# If unalterable identification of an IAM User is desirable, you can map against
	# AccessKeyID.
	- roleARN: arn:aws:iam::000000000000:role/KubernetesOtherAdmin
	username: "admin:{{AccessKeyID}}"
	groups:
	- system:masters

	# each mapUsers entry maps an IAM role to a static username and set of groups
	mapUsers:
	# map user IAM user Alice in 000000000000 to user "alice" in group "system:masters"
	- userARN: arn:aws:iam::000000000000:user/Alice
	username: alice
	groups:
	- system:masters

	# automatically map IAM ARN from these accounts to username.
	# NOTE: Always use quotes to avoid the account numbers being recognized as numbers
	# instead of strings by the yaml parser.
	mapAccounts:
	- "012345678901"
	- "456789012345"