1

We have SSO configured in the main AWS account and we log in to the child AWS account using that SSO link. Now we have created an EKS cluster in the child account but we are not able to view the Node and other resources due to aws-auth config settings. How to check the current role we have assumed in the child account so that we can update the same in the aws-auth configmap of the EKS cluster so that we would be able to see them?

Nitin G
  • 714
  • 7
  • 31

1 Answers1

1

Use the aws cli,

aws sts get-caller-identity --profile <profileName>

will return the assumed role in the form off

"arn:aws:sts:AccountId:assumed-role/RoleName/SSOemail"

and pass the RoleName in --role-name parameter as shown below, this should give you what you ask for.

aws iam get-role --role-name RoleName --profile profileName

Adding some additional info on setting up sso login via your localhost using aws cli, essentially you just need to have aws cli and a configs file that has entries, you can create the configs file on your host and then source it using env variable.

ConfigFile:

[default]
region = region
output = yaml

[profile myProfileName]
sso_start_url = 
sso_region = 
sso_account_id = 
sso_role_name = 
region = 
output = json

and set env variable to the path of your file that holds the profiles,

AWS_CONFIG_FILE=/path/to/the/config/file

then you can login to you account using

aws sso login --profile myProfileName

and then you will be able to execute the above commands, this is a very neat way to manage and troubleshoot your organization accounts via a single point.

furydrive
  • 372
  • 2
  • 5
  • Hey Furydrive .... thank you for the suggestion. Neither have we configured any profile in the EC2 instance nor do we have any access key credentials for that account if we execute this command it asks us to configure was. Even if we add a role to EC2 that will be different from the role we assumed while logging into the account. So how to solve this issue? – Nitin G Oct 13 '22 at 12:44
  • 1
    EC2 Instance Role has nothing to do with this. The --profile flag in the command refers to the AWS CLI when integrating with SSO read [here](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html) , otherwise check if you can run the command using AWS CloudShell service which is a web based shell that inherits privileges from the user you used to log in to the account. – furydrive Oct 13 '22 at 13:50
  • 1
    In fact, I was thinking along similar lines, but still thanks for the info. I will accept your answer :) – Nitin G Oct 14 '22 at 04:05