saml2aws as credential plugin for eks cluster

README.md

@@ -238,6 +238,15 @@ Commands:
         --credentials-file=CREDENTIALS-FILE
                                The file that will cache the credentials retrieved from AWS. When not specified, will use the default AWS credentials file location. (env: SAML2AWS_CREDENTIALS_FILE)
 
+  eks-token [<flags>]
+    EKS (K8S) token will be created (usefull as a credential plugin).
+
+        --cluster-name=CLUSTER_NAME  Name of the EKS cluster.
+        --exec-profile=EXEC-PROFILE
+                           The AWS profile to utilize for console execution. (env: SAML2AWS_EXEC_PROFILE)
+    -p, --profile=PROFILE  The AWS profile to save the temporary credentials. (env: SAML2AWS_PROFILE)
+        --force            Refresh credentials even if not expired.
+
 
 ```
 
@@ -497,6 +506,26 @@ region                  = us-east-1
 
 To use this you will need to export `AWS_DEFAULT_PROFILE=customer-test` environment variable to target `test`.
 
+### Using `saml2aws` as [credential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins) for kubectl
+
+1. Install `saml2aws` binary
+2. Edit kubectl config (`~/.kube/config`), replace exec command by:
+
+```bash
+    exec:
+      interactiveMode: Always
+      apiVersion: client.authentication.k8s.io/v1
+      args:
+      - eks-token
+      - --cluster-name
+      - %EKS_CLUSTER_NAME%
+      - --session-duration
+      - "900"
+      - --prompter
+      - output-to-stderr
+      command: saml2aws
+```
+
 ## Advanced Configuration (Multiple AWS account access but SAML authenticate against a single 'SSO' AWS account)
 
 Example:

cmd/saml2aws/commands/eks-token.go

@@ -0,0 +1,104 @@
+package commands
+
+import (
+	"encoding/json"
+	"fmt"
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/credentials"
+	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/pkg/errors"
+	"github.com/versent/saml2aws/v2/pkg/awsconfig"
+	"github.com/versent/saml2aws/v2/pkg/flags"
+	"log"
+	"sigs.k8s.io/aws-iam-authenticator/pkg/token"
+	"time"
+)
+
+const (
+	kind       = "ExecCredential"
+	apiVersion = "client.authentication.k8s.io/v1"
+)
+
+type tokenOutput struct {
+	Kind       string            `json:"kind"`
+	ApiVersion string            `json:"apiVersion"`
+	Status     tokenOutputStatus `json:"status"`
+}
+type tokenOutputStatus struct {
+	ExpirationTimestamp string `json:"expirationTimestamp"`
+	Token               string `json:"token"`
+}
+
+func EksToken(configFlags *flags.LoginExecFlags) error {
+	account, err := buildIdpAccount(configFlags)
+	if err != nil {
+		return errors.Wrap(err, "error building login details")
+	}
+
+	sharedCreds := awsconfig.NewSharedCredentials(account.Profile, account.CredentialsFile)
+
+	// this checks if the credentials file has been created yet
+	exist, err := sharedCreds.CredsExists()
+	if err != nil {
+		return errors.Wrap(err, "error loading credentials")
+	}
+	if !exist {
+		log.Println("unable to load credentials, login required")
+		return nil
+	}
+
+	awsCreds, err := sharedCreds.Load()
+	if err != nil {
+		return errors.Wrap(err, "error loading credentials")
+	}
+
+	if awsCreds.Expires.Sub(time.Now()) < 0 {
+		if err := Login(configFlags); err != nil {
+			return errors.Wrap(err, "error logging in")
+		}
+		awsCreds, err = sharedCreds.Load()
+		if err != nil {
+			return errors.Wrap(err, "error loading credentials")
+		}
+	}
+
+	gen, err := token.NewGenerator(true, false)
+	if err != nil {
+		return errors.Wrap(err, "failed to create token generator")
+	}
+
+	sess, err := session.NewSession(&aws.Config{
+		CredentialsChainVerboseErrors: aws.Bool(true),
+		Region:                        aws.String(awsCreds.Region),
+		Credentials:                   credentials.NewStaticCredentials(awsCreds.AWSAccessKey, awsCreds.AWSSecretKey, awsCreds.AWSSessionToken),
+	})
+	if err != nil {
+		return errors.Wrap(err, "failed to create aws session")
+	}
+
+	opts := &token.GetTokenOptions{
+		Region:    configFlags.CommonFlags.Region,
+		ClusterID: configFlags.ClusterName,
+		Session:   sess,
+	}
+	eksToken, err := gen.GetWithOptions(opts)
+	if err != nil {
+		return errors.Wrap(err, "error generating token")
+	}
+
+	output := &tokenOutput{
+		Kind:       kind,
+		ApiVersion: apiVersion,
+		Status: tokenOutputStatus{
+			ExpirationTimestamp: eksToken.Expiration.Format("2006-01-02T15:04:05Z"),
+			Token:               eksToken.Token,
+		},
+	}
+	jsonOutput, err := json.Marshal(output)
+	if err != nil {
+		return errors.Wrap(err, "error marshaling json")
+	}
+
+	fmt.Println(string(jsonOutput))
+	return nil
+}

cmd/saml2aws/main.go

@@ -154,6 +154,11 @@ func main() {
 		Default("bash").
 		EnumVar(&shell, "bash", "powershell", "fish", "env")
 
+	cmdEksToken := app.Command("eks-token", "Produce token to get an access to the EKS cluster (cluster name should be provided by 'cluster-name' flag).")
+	eksFlags := new(flags.LoginExecFlags)
+	eksFlags.CommonFlags = commonFlags
+	cmdEksToken.Flag("cluster-name", "EKS cluster name.").StringVar(&eksFlags.ClusterName)
+
 	// Trigger the parsing of the command line inputs via kingpin
 	command := kingpin.MustParse(app.Parse(os.Args[1:]))
 
@@ -194,6 +199,8 @@ func main() {
 		err = commands.ListRoles(listRolesFlags)
 	case cmdConfigure.FullCommand():
 		err = commands.Configure(configFlags)
+	case cmdEksToken.FullCommand():
+		err = commands.EksToken(eksFlags)
 	}
 
 	if err != nil {

go.mod

@@ -24,34 +24,58 @@ require (
 	github.com/tidwall/gjson v1.14.1
 	golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd
 	gopkg.in/ini.v1 v1.66.6
+	sigs.k8s.io/aws-iam-authenticator v0.5.9
 )
 
 require (
 	github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect
-	github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc // indirect
-	github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf // indirect
+	github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect
+	github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d // indirect
 	github.com/andybalholm/cascadia v1.3.1 // indirect
 	github.com/bearsh/hid v1.3.0 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.1.1 // indirect
 	github.com/danwakefield/fnmatch v0.0.0-20160403171240-cbb64ac3d964 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dvsekhvalnov/jose2go v1.5.0 // indirect
+	github.com/go-logr/logr v0.4.0 // indirect
 	github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 // indirect
+	github.com/gofrs/flock v0.7.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/google/go-cmp v0.5.5 // indirect
+	github.com/google/gofuzz v1.1.0 // indirect
 	github.com/gorilla/websocket v1.4.2 // indirect
 	github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/json-iterator/go v1.1.11 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/mattn/go-colorable v0.1.2 // indirect
 	github.com/mattn/go-isatty v0.0.8 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
 	github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.1 // indirect
 	github.com/mtibben/percent v0.2.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/prometheus/client_golang v1.11.0 // indirect
+	github.com/prometheus/client_model v0.2.0 // indirect
+	github.com/prometheus/common v0.26.0 // indirect
+	github.com/prometheus/procfs v0.6.0 // indirect
 	github.com/stretchr/objx v0.4.0 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.0 // indirect
-	golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59 // indirect
+	golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83 // indirect
 	golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
 	golang.org/x/text v0.3.7 // indirect
+	google.golang.org/protobuf v1.26.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/apimachinery v0.22.1 // indirect
+	k8s.io/client-go v0.22.1 // indirect
+	k8s.io/klog/v2 v2.9.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.1.2 // indirect
 )