Allow EKS users to authenticate by assuming a role. (#64)

jens-solarisbank · superbrothers · commit 6bea48f4f787 · 2019-02-25T14:21:06.000+09:00
diff --git a/AUTHORS b/AUTHORS
@@ -10,3 +10,4 @@ Anne Schuth
 Werner Buck
 Lucas de Haas
 Daniel Jensen
+Jens Herrmann
diff --git a/README.md b/README.md
@@ -49,6 +49,7 @@ The version of this resource corresponds to the version of kubectl. We recommend
 - `insecure_skip_tls_verify`: *Optional.* If true, the API server's certificate will not be checked for validity. This will make your HTTPS connections insecure. Defaults to `false`.
 - `use_aws_iam_authenticator`: *Optional.* If true, the aws_iam_authenticator, required for connecting with EKS, is used. Requires `aws_eks_cluster_name`. Defaults to `false`.
 - `aws_eks_cluster_name`: *Optional.* the AWS EKS cluster name, required when `use_aws_iam_authenticator` is true.
+- `aws_eks_assume_role`: *Optional.* the AWS IAM role ARN to assume.
 
 ## Behavior
 
diff --git a/assets/common.sh b/assets/common.sh
@@ -72,6 +72,12 @@ setup_kubectl() {
     use_aws_iam_authenticator="$(jq -r '.source.use_aws_iam_authenticator // ""' < "$payload")"
     local aws_eks_cluster_name
     aws_eks_cluster_name="$(jq -r '.source.aws_eks_cluster_name // ""' < "$payload")"
+    local aws_eks_assume_role
+    aws_eks_assume_role="$(jq -r '.source.aws_eks_assume_role // ""' < "$payload")"
+    if [[ "$aws_eks_assume_role" ]]; then
+      aws_eks_assume_role="- -r
+      - ${aws_eks_assume_role}"
+    fi
     if [[ "$use_aws_iam_authenticator" == "true" ]]; then
       if [ -z "$aws_eks_cluster_name" ]; then
         echoerr 'You must specify aws_eks_cluster_name when using aws_iam_authenticator.'
@@ -89,6 +95,7 @@ users:
       - token
       - -i
       - ${aws_eks_cluster_name}
+      ${aws_eks_assume_role}
       command: aws-iam-authenticator
       env: null
 EOF
diff --git a/test/suite.bats b/test/suite.bats
@@ -40,6 +40,14 @@ teardown() {
   assert_not_match 'did not find expected key' "$output"
 }
 
+@test "with outputs.aws_eks_assume_role" {
+  run assets/out <<< "$(jq -n '{"source": {"use_aws_iam_authenticator": true, "aws_eks_cluster_name": "eks-cluster01", "aws_eks_assume_role": "arn:role", "server": $server, "token": $token}, "params": {"kubectl": "get po"}}' \
+    --arg server "$server" \
+    --arg token "$token" \
+    --arg kubectl "get po nginx")"
+  assert_not_match 'did not find expected key' "$output"
+}
+
 @test "with source.kubeconfig" {
   run assets/out <<< "$(jq -n '{"source": {"kubeconfig": $kubeconfig}, "params": {"kubectl": $kubectl}}' \
     --arg kubeconfig "$(cat "$kubeconfig_file")" \
