https://pulumi.com logo
#aws
Title
# aws
f

fresh-notebook-40503

06/21/2022, 4:47 PM
I have an EKS question. Is there a way to use pulumi to edit the
aws-auth
ConfigMap to add
mapUsers
entries? I can definitely add
mapRoles
entries via the
roleMappings
argument in the
eks.Cluster
constructor, but it doesn't seem to be possible to edit
mapUsers
in the ConfigMap via pulumi
b

billowy-army-68599

06/21/2022, 4:50 PM
currently the only way to do this is via dynamic providers, we have some work in progress that will ship (this quarter I believe) to make this easier: https://github.com/pulumi/pulumi-kubernetes/pull/2029
f

fresh-notebook-40503

06/21/2022, 4:54 PM
ah yes. I just read through the issue related to the pull request: https://github.com/pulumi/pulumi-kubernetes/issues/2011. This seems to be what I'd need. Thanks!
a related question: is it possible to use pulumi to assume an IAM role just for the scope of some specific EKS and k8s commands? I could use
aws sts assume-role
before running pulumi up, but then the pulumi user will inhabit that role for every command. I want to use a specific IAM role just for the scope of some specific k8s commands. I can create an
aws.Provider
to assume a specific role and use that provider for the scope of
aws
commands (eg.
aws.s3.Bucket(... { provider: customProvider })
. However, it doesn't look like I can use a
kubernetes.Provider
to assume a specific IAM role for the scope of some
kubernetes
commands
b

billowy-army-68599

06/21/2022, 5:00 PM
the EKS pulumi kubeconfig is unique in that it retrieves a token using
aws eks get-token
You can construct a Kubernetes provider that has that call in it with a profile, but the
aws eks get-token
command doesn't support assume role at all
f

fresh-notebook-40503

06/21/2022, 5:01 PM
ah, I see. will investigate using a profile here. thank you!
oh interesting. I found the following snippet in a github issue to change the kubeconfig to assume a particular role. https://github.com/pulumi/pulumi-eks/issues/405#issuecomment-652163657. This updated the
aws eks get-token
command in the kubeconfig to add a new
--role <role-arn>
argument. Seems to have worked fine. Will test some more, but it's looking solid.
g

glamorous-australia-21342

06/21/2022, 5:46 PM
i saw this comment https://github.com/pulumi/pulumi-kubernetes/issues/1775#issuecomment-1022120484 and was hoping there was already a solution if people are already managing aws-auth ?
I'm currently getting the value of the-aws auth configmap and then trying to figure out a way to push it
Copy code
awsAuthConfigmap.data.apply(v => {
  console.log(YAML.parse(v.mapRoles))
  let roleMappings = YAML.parse(v.mapRoles)
  let roleMapping = {
    rolearn: "TEST",
    username: "TEST",
    groups: "TEST",
}
  roleMappings.push(roleMapping)
  // console.log(roleMappings)
  
})
b

billowy-army-68599

06/21/2022, 5:49 PM
only with a dynamic provider
g

glamorous-australia-21342

06/21/2022, 5:50 PM
So is there a way to patch aws-auth now or not until this is shipped?
b

billowy-army-68599

06/21/2022, 6:06 PM
as I said, its possible with a dynamic provider. you'd need to write create and update methods that patched the resource
g

glamorous-australia-21342

06/21/2022, 6:45 PM
seems complex any examples?
b

billowy-army-68599

06/21/2022, 6:46 PM
lofs of dynamic provider examples in github.com/pulumi/examples biut none for this specific usecase
7 Views