Skip to content

Authorization in EKS with AWS SSO

Archived (pre-2022)

Preserved for reference only -- likely outdated. View original | Last updated: May 2021

  1. Install awscli 2

Follow instructions here AWS CLI - OKTA Integration

After completing all steps you should have configured file ~/.aws/config (btw you can just create this file manually without running aws configure sso):
FairBid team:

[profile sso-inn-prd]
sso_start_url = https://d-90677a601d.awsapps.com/start
sso_region = us-east-1
sso_account_id = 003250186609
sso_role_name = Fairbid_Backend
region = us-east-1

[profile sso-ofw-prd]
sso_start_url = https://d-90677a601d.awsapps.com/start
sso_region = us-east-1
sso_account_id = 767648288756
sso_role_name = Fairbid_Backend
region = eu-west-1

[profile sso-ofw-stg]
sso_start_url = https://d-90677a601d.awsapps.com/start
sso_region = us-east-1
sso_account_id = 399797994004
sso_role_name = Fairbid_Backend
region = eu-west-1

Offerwall team:

[profile sso-inn-prd]
sso_start_url = https://d-90677a601d.awsapps.com/start
sso_region = us-east-1
sso_account_id = 003250186609
sso_role_name = Offerwall
region = us-east-1

[profile sso-ofw-prd]
sso_start_url = https://d-90677a601d.awsapps.com/start
sso_region = us-east-1
sso_account_id = 767648288756
sso_role_name = Offerwall
region = eu-west-1

[profile sso-ofw-stg]
sso_start_url = https://d-90677a601d.awsapps.com/start
sso_region = us-east-1
sso_account_id = 399797994004
sso_role_name = Offerwall
region = eu-west-1
  1. Do login to the account above
aws sso login --profile sso-inn-prd

This will provide you with temporary token that will last for 12 hours, after which you need to run command aws sso login again. 3. Configure kubernetes config

If you are adding new cluster then you should run update-kubeconfig like descibed here Helm deployment.

For configured EKS clusters make sure you have following for each cluster in ~/.kube/config:

...
users:
- name: arn:aws:eks:eu-west-1:399797994004:cluster/aws-staging-eks-common
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --region
      - eu-west-1
      - eks
      - get-token
      - --cluster-name
      - aws-staging-eks-common
      - --role
      - arn:aws:iam::399797994004:role/ADFS-Developer
      command: aws
      env:
      - name: AWS_PROFILE
        value: sso-ofw-stg
- name: arn:aws:eks:eu-west-1:767648288756:cluster/aws-production-eks-common
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --region
      - eu-west-1
      - eks
      - get-token
      - --cluster-name
      - aws-production-eks-common
      - --role
      - arn:aws:iam::767648288756:role/ADFS-Developer
      command: aws
      env:
      - name: AWS_PROFILE
        value: sso-ofw-prd
- name: arn:aws:eks:us-east-1:003250186609:cluster/bln-fairbid-production
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --region
      - us-east-1
      - eks
      - get-token
      - --cluster-name
      - bln-fairbid-production
      - --role
      - arn:aws:iam::003250186609:role/bln_eks_users
      command: aws
      env:
      - name: AWS_PROFILE
        value: sso-inn-prd
- name: arn:aws:eks:us-east-1:003250186609:cluster/production
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --region
      - us-east-1
      - eks
      - get-token
      - --cluster-name
      - production
      - --role
      - arn:aws:iam::003250186609:role/EKS_users
      command: aws
      env:
      - name: AWS_PROFILE
        value: sso-inn-prd
- name: arn:aws:eks:us-east-2:767648288756:cluster/ua-production-eks
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --region
      - us-east-2
      - eks
      - get-token
      - --cluster-name
      - ua-production-eks
      - --role
      - arn:aws:iam::767648288756:role/ua-production-eks-us-east-2-users
      command: aws
      env:
      - name: AWS_PROFILE
        value: sso-ofw-prd
- name: arn:aws:eks:us-west-2:003250186609:cluster/fairbid-production-eks
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --region
      - us-west-2
      - eks
      - get-token
      - --cluster-name
      - fairbid-production-eks
      - --role
      - arn:aws:iam::003250186609:role/fairbid-production-eks-us-west-2-users
      command: aws
      env:
       - name: AWS_PROFILE
        value: sso-inn-prd
- name: arn:aws:eks:eu-west-1:003250186609:cluster/fairbid-production-eks
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --region
      - eu-west-1
      - eks
      - get-token
      - --cluster-name
      - fairbid-production-eks
      - --role
      - arn:aws:iam::003250186609:role/fairbid-production-eks-eu-west-1-users
      command: aws
      env:
       - name: AWS_PROFILE
        value: sso-inn-prd