The purpose of this application is to facilitate identity based (without use of any permanents credentials) authentication of EKS clusters in ArgoCD running on Google Kubernetes Engine (GKE) clusters with workload identity.

• Introduction
• Features
• Prerequisites
• Getting Started
  • Installation
  • Usage
• ArgoCD Configuration
• Contributing
• License
• Credits
• Additional resources

A scenario this application covers is an ArgoCD instance running on GKE and using workload identity and Google Cloud -> AWS IAM role federation to authenticate EKS clusters without need of providing any kind of long term credentials. The program uses GKE/GCE provided OAuth token to assume AWS role and generate pre-signed URL for EKS authentication.

1. A Google Cloud environment configured with IAM identity. This could be a VM instance using a service account identity or a GKE pod configured with GKE workload identity. In the case of ArgoCD this means having argocd-server and argocd-application-controller deployments using workload identity. Workload identity can be easily configured using the official workload identity terraform module.
2. An AWS role that is configured to trust the GCP service account used in the environment running the program. In the case of ArgoCD these are the service accounts used by the argocd-server and argocd-application-controller deployments/pods. This involves setting up AWS IAM role trust policy for sts:AssumeRoleWithWebIdentity action specifying accounts.google.com federated principal (more documentation here).
3. The IAM role from step 3. having appropriate permissions (policies attached) for EKS cluster(s) management.

Download precompiled binary for your platform from the repository' releases page. In the case of ArgoCD the binary has to be available in the argocd-server and argocd-application-controller deployments/pods.

The binary can be shipped via custom ArgoCD images, or added via volume mounts and placed in the argocd-server and argocd-application-controller deployments/pods.

Example for ArgoCD official Helm Chart:

controller and server:
  ...
  initContainers:
   - name: download-tools
     image: alpine:3
     command: [sh, -c]
     args:
       - wget -qO k8s-auth-gke-wli-eks https://github.com/zepellin/argocd-k8s-auth-gke-wli-eks/releases/download/v0.1.0/k8s-auth-gke-wli-eks-v0.1.0-linux-amd64 && chmod +x k8s-auth-gke-wli-eks && mv k8s-auth-gke-wli-eks /argo-k8s-auth-gke-wli-eks/
     volumeMounts:
       - mountPath: /argo-k8s-auth-gke-wli-eks
         name: argo-k8s-auth-gke-wli-eks

  volumeMounts:
   - mountPath: /usr/local/bin/k8s-auth-gke-wli-eks
     name: argo-k8s-auth-gke-wli-eks
     subPath: k8s-auth-gke-wli-eks

  volumes:
   - name: argo-k8s-auth-gke-wli-eks
     emptyDir: {}

The program takes following arguments:

• -rolearn: The AWS IAM role ARN to assume (required).
• -cluster: The name of the AWS EKS cluster for which you need credentials (required).
• -stsregion: AWS STS region to which requests are made (optional, default: us-east-1).

Example:

$ k8s-auth-gke-wli-eks -rolearn "arn:aws:iam::123456789012:role/argocdrole" -cluster "my-eks-cluster-name" -stsregion "us-east-1"

Create a secret defining secret in your ArgoCD namespace where data.config is base64 encoded section as in following example.

apiVersion: v1
kind: Secret
metadata:
  name: my-eks-cluster-name-secret
  labels:
    argocd.argoproj.io/secret-type: cluster
type: Opaque
stringData:
  name: my-eks-cluster-name
  server: https://213456423213456789456123ABCDEF.grx.us-east-1.eks.amazonaws.com
  config: |
    {
      "execProviderConfig": {
        "command": "k8s-auth-gke-wli-eks",
        "args": [
            "-rolearn",
            "arn:aws:iam::123456789012:role/argocdrole",
            "-cluster",
            "my-eks-cluster-name",
            "-stsregion",
            "us-east-2"
        ],
        "apiVersion": "client.authentication.k8s.io/v1beta1",
        "installHint": "k8s-auth-gke-wli-eks missing"
      },
      "tlsClientConfig": {
        "insecure": false,
        "caData": "base64_encoded_ca_data"
      }
    }

The output of the program is an ExecCredential object of the client.authentication.k8s.io/v1beta1 Kubernetes API that is consumed by ArgoCD when authenticating EKS cluster.

If you'd like to contribute to this project, please follow the standard open-source contribution guidelines. Please report issues, submit feature requests, or create pull requests to improve the application.

• Terraform GKE Worload identity module: terraform-google-workload-identity
• Available keys for AWS web identity federation, for example of role trust with accounts.google.com. AWS docs link
• How to use trust policies with IAM roles, for ways to futher secure AWS trust policies. AWS Blog

• Use of aws-sdk-go-v2 to get working EKS token: Github aws-sdk-go-v2

This project is licensed under the MIT License - see the LICENSE file for details.