Kubernetes 将MFA与EKS kubectl&;aws iam验证器
我一直试图让MFA与kubectl合作,以确保访问AWS中的EKS主机。医生似乎暗示这是可能的,但我遇到了问题,我无法解决 没有任何特殊功能,我可以连接到EKS群集:Kubernetes 将MFA与EKS kubectl&;aws iam验证器,kubernetes,kubectl,aws-iam,multi-factor-authentication,amazon-eks,Kubernetes,Kubectl,Aws Iam,Multi Factor Authentication,Amazon Eks,我一直试图让MFA与kubectl合作,以确保访问AWS中的EKS主机。医生似乎暗示这是可能的,但我遇到了问题,我无法解决 没有任何特殊功能,我可以连接到EKS群集: kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 172.20.0.1 <none> 443/TCP 2d …然后我可以看到AWS
kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 172.20.0.1 <none> 443/TCP 2d
…然后我可以看到AWS CLI具有MFA:
aws sts get-caller-identity --profile default_role
Enter MFA code for arn:aws:iam::1234567890:mfa/spanktar: 123456
{
"UserId": "**********************:botocore-session-1234567890",
"Account": "1234567890",
"Arn": "arn:aws:sts::1234567890:assumed-role/test_assumeRole/botocore-session-1234567890"
}
然后我可以验证:
aws sts assume-role --role-arn arn:aws:iam::1234567890:role/test_assumeRole --role-session-name default_role
{
"Credentials": {
"AccessKeyId": "**********************",
"SecretAccessKey": "**********************",
"SessionToken": "FOO",
"Expiration": "2018-10-11T21:19:20Z"
},
"AssumedRoleUser": {
"AssumedRoleId": "**********************:default_role",
"Arn": "arn:aws:sts::1234567890:assumed-role/test_assumeRole/default_role"
}
}
kubectl仍然正常工作,因为它尚未使用配置文件:
kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 172.20.0.1 <none> 443/TCP 2d
因此,现在当我尝试kubectl
时,它要求MFA,但它永远无法满足:
kubectl get svc
Assume Role MFA token code: 123456
Assume Role MFA token code: 123456
could not get token: AccessDenied: MultiFactorAuthentication failed with invalid MFA one time pass code.
status code: 403, request id: 123456-cd93-11e8-80a5-1234567898765
E1011 13:22:07.385200 28191 exec.go:230] refreshing credentials: exec: exit status 1
No resources found.
error: You must be logged in to the server (Unauthorized)
AWS角色test\u assumeRole
如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1234567890:user/spanktar"
},
"Action": "sts:AssumeRole"
}
]
}
相关策略test\u assumePolicy
如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::1234567890:role/test_assumeRole"
}
]
}
因此,问题是:
- 我是否需要将这些内容附加到IAM用户?医生们似乎建议不要这样做
- 我在这里错过了什么让它运行?它似乎连接得几乎正确
-r
选项来管理它
在您的情况下,它将如下所示:
users:
- name: aws
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
command: aws-iam-authenticator
env:
- name: "AWS_PROFILE"
value: "default_role"
args:
- "token"
- "-i"
- "test-eks-cluster"
- "-r"
- "arn:aws:iam::1234567890:role/test_assumeRole"
我希望这对你也有用。嗨,你解决了这个问题吗?我目前正面临着完全相同的问题,我在努力找出问题所在!谢谢这里也有同样的问题。有什么建议吗?有什么进展吗?遇到类似的问题
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::1234567890:role/test_assumeRole"
}
]
}
users:
- name: aws
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
command: aws-iam-authenticator
env:
- name: "AWS_PROFILE"
value: "default_role"
args:
- "token"
- "-i"
- "test-eks-cluster"
- "-r"
- "arn:aws:iam::1234567890:role/test_assumeRole"