I have an EKS question Is there a way to use pulumi to edit Pulumi Community #aws

I have an EKS question. Is there a way to use pulu...

fresh-notebook-40503

06/21/2022, 4:47 PM

I have an EKS question. Is there a way to use pulumi to edit the

aws-auth

ConfigMap to add

mapUsers

entries? I can definitely add

mapRoles

entries via the

roleMappings

argument in the

eks.Cluster

constructor, but it doesn't seem to be possible to edit

mapUsers

in the ConfigMap via pulumi

billowy-army-68599

06/21/2022, 4:50 PM

currently the only way to do this is via dynamic providers, we have some work in progress that will ship (this quarter I believe) to make this easier: https://github.com/pulumi/pulumi-kubernetes/pull/2029

fresh-notebook-40503

06/21/2022, 4:54 PM

ah yes. I just read through the issue related to the pull request: https://github.com/pulumi/pulumi-kubernetes/issues/2011. This seems to be what I'd need. Thanks!

fresh-notebook-40503

06/21/2022, 4:59 PM

a related question: is it possible to use pulumi to assume an IAM role just for the scope of some specific EKS and k8s commands? I could use

aws sts assume-role

before running pulumi up, but then the pulumi user will inhabit that role for every command. I want to use a specific IAM role just for the scope of some specific k8s commands. I can create an

aws.Provider

to assume a specific role and use that provider for the scope of

aws

commands (eg.

aws.s3.Bucket(... { provider: customProvider })

. However, it doesn't look like I can use a

kubernetes.Provider

to assume a specific IAM role for the scope of some

kubernetes

commands

billowy-army-68599

06/21/2022, 5:00 PM

the EKS pulumi kubeconfig is unique in that it retrieves a token using

aws eks get-token

You can construct a Kubernetes provider that has that call in it with a profile, but the

aws eks get-token

command doesn't support assume role at all

fresh-notebook-40503

06/21/2022, 5:01 PM

ah, I see. will investigate using a profile here. thank you!

fresh-notebook-40503

06/21/2022, 5:22 PM

oh interesting. I found the following snippet in a github issue to change the kubeconfig to assume a particular role. https://github.com/pulumi/pulumi-eks/issues/405#issuecomment-652163657. This updated the

aws eks get-token

command in the kubeconfig to add a new

--role <role-arn>

argument. Seems to have worked fine. Will test some more, but it's looking solid.

glamorous-australia-21342

06/21/2022, 5:46 PM

i saw this comment https://github.com/pulumi/pulumi-kubernetes/issues/1775#issuecomment-1022120484 and was hoping there was already a solution if people are already managing aws-auth ?

glamorous-australia-21342

06/21/2022, 5:47 PM

I'm currently getting the value of the-aws auth configmap and then trying to figure out a way to push it

Copy code

awsAuthConfigmap.data.apply(v => {
  console.log(YAML.parse(v.mapRoles))
  let roleMappings = YAML.parse(v.mapRoles)
  let roleMapping = {
    rolearn: "TEST",
    username: "TEST",
    groups: "TEST",
}
  roleMappings.push(roleMapping)
  // console.log(roleMappings)
  
})

billowy-army-68599

06/21/2022, 5:49 PM

only with a dynamic provider

glamorous-australia-21342

06/21/2022, 5:50 PM

So is there a way to patch aws-auth now or not until this is shipped?

billowy-army-68599

06/21/2022, 6:06 PM

as I said, its possible with a dynamic provider. you'd need to write create and update methods that patched the resource

glamorous-australia-21342

06/21/2022, 6:45 PM

seems complex any examples?

billowy-army-68599

06/21/2022, 6:46 PM

lofs of dynamic provider examples in github.com/pulumi/examples biut none for this specific usecase

8 Views

Open in Slack

Previous Next