{"id":28510455,"url":"https://github.com/qovery/iam-eks-user-mapper","last_synced_at":"2025-10-13T13:32:24.104Z","repository":{"id":181836147,"uuid":"667176705","full_name":"Qovery/iam-eks-user-mapper","owner":"Qovery","description":"A tool to automatically give AWS IAM users access to your Kubernetes cluster.","archived":false,"fork":false,"pushed_at":"2025-05-13T14:59:41.000Z","size":1532,"stargazers_count":51,"open_issues_count":0,"forks_count":3,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-10-01T05:51:40.665Z","etag":null,"topics":["aws","eks","iam","kubernetes","rust"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Qovery.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-07-16T22:22:38.000Z","updated_at":"2025-05-13T14:59:45.000Z","dependencies_parsed_at":"2023-07-17T20:37:51.985Z","dependency_job_id":"952b292e-80c5-43b0-b2d6-fb7850d321bb","html_url":"https://github.com/Qovery/iam-eks-user-mapper","commit_stats":null,"previous_names":["qovery/iam-eks-user-mapper"],"tags_count":17,"template":false,"template_full_name":null,"purl":"pkg:github/Qovery/iam-eks-user-mapper","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Qovery%2Fiam-eks-user-mapper","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Qovery%2Fiam-eks-user-mapper/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Qovery%2Fiam-eks-user-mapper/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Qovery%2Fiam-eks-user-mapper/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Qovery","download_url":"https://codeload.github.com/Qovery/iam-eks-user-mapper/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Qovery%2Fiam-eks-user-mapper/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279015312,"owners_count":26085684,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-13T02:00:06.723Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","eks","iam","kubernetes","rust"],"created_at":"2025-06-08T23:05:05.608Z","updated_at":"2025-10-13T13:32:24.063Z","avatar_url":"https://github.com/Qovery.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# IAM EKS user mapper\n\nThis tool aims to automatically give selected AWS IAM users access to your Kubernetes cluster.\nIt's based on this [tool](https://github.com/ygrene/iam-eks-user-mapper) which is now archived, its main features were reported and extended (role based auth, and SSO for example).\n\n## Design overview\n\n![](doc/images/design-overview-dark.svg)\n\nIAM EKS user mapper is running as a pod in the kubernetes cluster.\nAt a given interval (default 30s) it executes the following:\n\n**IF Groups users sync enabled**\n\n1. Get IAM users from IAM groups to be given access to the cluster\n2. Add IAM users from IAM groups `aws-auth` configmap in the cluster giving them access to the cluster\n\n**IF SSO enabled**\n\n- Add SSO role arn to `aws-auth` configmap in the cluster allowing users allowed to use this SSO role to connect to the cluster via SSO.\n\n**IF Karpenter enabled**\n\n- Add Karpenter role arn to `aws-auth` configmap in the cluster allowing Karpenter to create nodes in the cluster.\n\n## Usage\n\n```shell\n./iam-eks-user-mapper \\\n --service-account-name \u003cSERVICE_ACCOUNT_NAME\u003e \\\n # either fill aws-role-arn or aws-access-key-id and aws-secret-access-key\n --aws-role-arn \u003cAWS_ROLE_ARN\u003e \\\n --aws-access-key-id \u003cAWS_ACCESS_KEY_ID\u003e \\\n --aws-secret-access-key \u003cAWS_SECRET_ACCESS_KEY\u003e \\\n --aws-default-region \u003cAWS_DEFAULT_REGION\u003e \\\n --admins-users-arns \u003cADMINS_USERS_ARNS\u003e \\\n --enable-group-user-sync \u003cENABLE_GROUP_USER_SYNC\u003e \\\n --iam-k8s-groups \u003cIAM_K8S_GROUPS\u003e \\\n --enable-sso \u003cENABLE_SSO\u003e \\\n --iam-sso-role-arn \u003cIAM_SSO_ROLE_ARN\u003e \\\n --karpenter-arn \u003cKARPENTER_ROLE_ARN\u003e \\\n --refresh-interval-seconds \u003cREFRESH_INTERVAL_SECONDS\u003e \\\n --verbose \u003cVERBOSE\u003e\n```\n\n| Parameter | Type | Default | Required | Description | Example |\n| -------------------------- | --------- | ------- | ----------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------- |\n| `service-account-name` | `String` | | `true` | Service account name to be used | `my-service-account` |\n| `aws-role-arn` | `String` | | `true` if aws_access_key_id and aws_secret_access_key are not specified | AWS role ARN to be used | `arn:aws:iam::12345678910:role/my-role` |\n| `aws_access_key_id` | `String` | | `true` if aws-role-arn is not specified | AWS Access Key ID to be used | `EXAMPLEACCESSKEYID` |\n| `aws_secret_access_key` | `String` | | `true` if aws-role-arn is not specified | AWS Secret Access Key to be used | `EXAMPLESECRETACCESSKEY` |\n| `aws_default_region` | `String` | | `true` | AWS default region to be used | `eu-west-3` |\n| `refresh_interval_seconds` | `Integer` | `30` | `false` | Refresh interval in seconds between two user synchronization | `120` |\n| `enable_group_user_sync` | `Boolean` | `false` | `false` | Activate User Groups sync | `true` |\n| `admins_users_arns` | `String` | `\"\"` | `false` | IAM users to be mapped into Kubernetes `system:masters`, syntax is `\u003cIAM_USER_ARN\u003e,\u003cIAM_USER_ARN_2\u003e` | `arn:aws:iam::123456789012:user/JohnDoe,arn:aws:iam::123456789012:user/JohnDoe2` |\n| `iam_k8s_groups` | `String` | `\"\"` | `false` (`true` if `enable_group_user_sync` == `true`) | IAM groups to be mapped into Kubernetes, syntax is `\u003cIAM_GROUP\u003e-\u003e\u003cKUBERNETES_GROUP\u003e,\u003cIAM_GROUP_2\u003e-\u003e\u003cKUBERNETES_GROUP_2\u003e` | `Admins-\u003esystem:masters`, `Admins-\u003esystem:masters,Devops-\u003esystem:devops` |\n| `enable_sso` | `Boolean` | `false` | `false` | Activate SSO support to connect to the cluster | `true` |\n| `iam_sso_role_arn` | `String` | `\"\"` | `false` (`true` if `enable_sso` == `true`) | IAM SSO role ARN to be used to connect to the cluster | `\"arn:aws:iam::[AWS_ACCOUNT_ID]:role/aws-reserved/sso.amazonaws.com/[AWS_REGION]/AWSReservedSSO_AdministratorAccess_53b82e109c5e2cac\"` |\n| `karpenter_role_arn` | `String` | `\"\"` | `false` | Enable Karpenter role ARN | `arn:aws:iam::account_id:role/role_id` |\n| `verbose` | `Boolean` | `false` | `false` | Activate verbose mode | `Admins-\u003esystem:masters`, `Admins-\u003esystem:masters,Devops-\u003esystem:devops` |\n\n**Note:** Either `aws_role_arn` or `aws_access_key_id` and `aws_secret_access_key` must be provided. Both cannot be provided at the same time.\n\nAll parameters can be set as environment variables as well:\n\n```shell\nSERVICE_ACCOUNT_NAME=\u003cSERVICE_ACCOUNT_NAME\u003e \\\nAWS_ROLE_ARN=\u003cAWS_ROLE_ARN\u003e \\\nAWS_ACCESS_KEY_ID=\u003cAWS_ACCESS_KEY_ID\u003e \\\nAWS_SECRET_ACCESS_KEY=\u003cAWS_SECRET_ACCESS_KEY\u003e \\\nAWS_DEFAULT_REGION=\u003cAWS_DEFAULT_REGION\u003e \\\nADMINS_USERS_ARNS=\u003cADMINS_IAM_USERS\u003e \\\nENABLE_GROUP_USER_SYNC=\u003cENABLE_GROUP_USER_SYNC\u003e \\\nIAM_K8S_GROUPS=\u003cIAM_K8S_GROUPS\u003e \\\nENABLE_SSO=\u003cENABLE_SSO\u003e \\\nIAM_SSO_ROLE_ARN=\u003cIAM_SSO_ROLE_ARN\u003e \\\nKARPENTER_ROLE_ARN=\u003cKARPENTER_ROLE_ARN\u003e \\\nREFRESH_INTERVAL_SECONDS=\u003cREFRESH_INTERVAL_SECONDS\u003e \\\nVERBOSE=\u003cVERBOSE\u003e \\\n./iam-eks-user-mapper\n```\n\n### Helm\n\nGiving a `iam-eks-user-mapper.yaml` file with the following content:\n\n```yaml\nadminsUsersArns:\n enabled: \u003cENABLE_ADMINS_USERS_SYNC\u003e\n arns: [] # [\"arn:aws:iam::123456789012:user/JohnDoe\"]\n\ngroupUsersSync:\n enabled: \u003cENABLE_GROUP_USER_SYNC\u003e\n iamK8sGroups: \u003cIAM_K8S_GROUPS\u003e # \"group1,group2\"\n\nsso:\n enabled: \u003cENABLE_SSO\u003e\n iamSSORoleArn: \u003cIAM_SSO_ROLE_ARN\u003e # \"arn:aws:iam::[AWS_ACCOUNT_ID]:role/aws-reserved/sso.amazonaws.com/[AWS_REGION]/AWSReservedSSO_AdministratorAccess_53b82e109c5e2cac\"\n\nkarpenter:\n enabled: false\n iamKarpenterRoleArn: \u003cKARPENTER_ROLE_ARN\u003e # \"arn:aws:iam::[AWS_ACCOUNT_ID]:role/[ROLE_NAME]\"\n\nrefreshIntervalSeconds: \u003cREFRESH_INTERVAL_SECONDS\u003e\n\naws:\n defaultRegion: \u003cAWS_DEFAULT_REGION\u003e\n # either fill roleArn or accessKeyId and secretAccessKey or existingSecretName\n roleArn: \u003cAWS_ROLE_ARN\u003e\n # if you want to use an existing secret, set the name here\n # it must contain AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY\n existingSecretName: \u003cAWS_SECRET_NAME\u003e\n accessKeyId: \u003cAWS_ACCESS_KEY_ID\u003e\n secretAccessKey: \u003cAWS_SECRET_ACCESS_KEY\u003e\n\n# Repository for the image is there\n# https://github.com/Qovery/iam-eks-user-mapper\nimage:\n repository: docker pull ghcr.io/qovery/iam-eks-user-mapper\n pullPolicy: IfNotPresent\n tag: main\n\nserviceAccount:\n name: \u003cAWS_ROLE_ARN\u003e\n annotations:\n - eks\\\\.amazonaws\\\\.com/role-arn=\u003cSERVICE_ACCOUNT_NAME\u003e\n\nresources:\n limits:\n cpu: \u003cRESOURCES_LIMITS_CPU\u003e\n memory: \u003cRESOURCES_LIMITS_MEMORY\u003e\n requests:\n cpu: \u003cRESOURCES_REQUESTS_CPU\u003e\n memory: \u003cRESOURCES_REQUESTS_MEMORY\u003e\n```\n\n```shell\nhelm upgrade \\\n --kubeconfig \u003cYOUR_KUBECONFIG_FILE_PATH\u003e \\\n --install --namespace \"kube-system\" \\\n -f \"iam-eks-user-mapper.yaml\" \\\n iam-eks-user-mapper ./charts/iam-eks-user-mapper\"\n```\n\n### Cargo\n\n```shell\ngit clone https://github.com/Qovery/iam-eks-user-mapper.git \u0026\u0026 cd $_\n\ncargo run -- \\\n --service-account-name \u003cSERVICE_ACCOUNT_NAME\u003e \\\n --aws-role-arn \u003cAWS_ROLE_ARN\u003e \\\n --aws-default-region \u003cAWS_DEFAULT_REGION\u003e \\\n --admins-iam-users \u003cADMINS_IAM_USERS\u003e \\\n --enable-group-user-sync \u003cENABLE_GROUP_USER_SYNC\u003e \\\n --iam-k8s-groups \u003cIAM_K8S_GROUPS\u003e \\\n --enable-sso \u003cENABLE_SSO\u003e \\\n --iam-sso-role-arn \u003cIAM_SSO_ROLE_ARN\u003e \\\n --refresh-interval-seconds \u003cREFRESH_INTERVAL_SECONDS\u003e \\\n --verbose \u003cVERBOSE\u003e\n```\n\n### Docker\n\n```shell\ndocker run ghcr.io/qovery/iam-eks-user-mapper:main \\\n -e IAM_K8S_GROUPS=\"\u003cIAM_K8S_GROUPS\u003e\" \\\n -e REFRESH_INTERVAL_SECONDS=\"\u003cREFRESH_INTERVAL_SECONDS\u003e\" \\\n -e ENABLE_GROUP_USER_SYNC=\"\u003cENABLE_GROUP_USER_SYNC\u003e\" \\\n -e IAM_K8S_GROUPS=\"\u003cIAM_K8S_GROUPS\u003e\" \\\n -e ENABLE_SSO=\"\u003cENABLE_SSO\u003e\" \\\n -e IAM_SSO_ROLE_ARN=\"\u003cIAM_SSO_ROLE_ARN\u003e\" \\\n -e AWS_DEFAULT_REGION=\"\u003cAWS_DEFAULT_REGION\u003e\" \\\n -e AWS_ROLE_ARN=\"\u003cAWS_ROLE_ARN\u003e\" \\\n -e SERVICE_ACCOUNT_NAME=\"\u003cSERVICE_ACCOUNT_NAME\u003e\"\n```\n\n## AWS setup\n\n### Setup a group to allow group sync\n\nAllowing to sync IAM users from an IAM group giving IAM users access to the cluster.\n\nFirst step to allow IAM user groups sync is to create a group to sync IAM side.\n(Steps below are taken from [Qovery's official doc to setup an AWS cluster](https://hub.qovery.com/docs/using-qovery/configuration/cloud-service-provider/amazon-web-services/), it requires a dedicated group to run.)\n\n1. Go to IAM AWS console\n ![](doc/images/group-sync-configuration/go-to-aws-console-iam.png)\n\n2. Create a new group **without permissions** (`Admins` in our example)\n ![](doc/images/group-sync-configuration/create-iam-group.jpg)\n ![](doc/images/group-sync-configuration/create-iam-group-2.png)\n ![](doc/images/group-sync-configuration/create-iam-group-3.png)\n\n3. Add / create users within this `Admins` group\n ![](doc/images/group-sync-configuration/add-user-to-admin-group.png)\n\n4. Pass group info `Admins` to be mapped to `system:masters` K8s role to `iam-eks-user-mapper`.\n\n```shell\n./iam-eks-user-mapper \\\n --service-account-name \u003cSERVICE_ACCOUNT_NAME\u003e \\\n --aws-role-arn \u003cAWS_ROLE_ARN\u003e \\\n --aws-default-region \u003cAWS_DEFAULT_REGION\u003e \\\n --enable-group-user-sync true \\\n --iam-k8s-groups \"Admins-\u003esystem:masters\"\n```\n\n### Setup SSO to allow SSO connection to the cluster\n\nAllowing SSO connection to your k8s cluster.\n\nYou can use [this documentation](https://aws.amazon.com/fr/blogs/containers/a-quick-path-to-amazon-eks-single-sign-on-using-aws-sso/) to setup SSO to your AWS organization.\n\nOnce you've got your CLI configured and an `AWSReservedSSO_` role in IAM:\n\n1. you can copy this role ARN\n ![](doc/images/sso-configuration/get-iam-sso-group.png)\n ![](doc/images/sso-configuration/get-iam-sso-group-arn.png)\n\n2. and pass it to `iam-eks-user-mapper`.\n\n```shell\n./iam-eks-user-mapper \\\n --service-account-name \u003cSERVICE_ACCOUNT_NAME\u003e \\\n --aws-role-arn \u003cAWS_ROLE_ARN\u003e \\\n --aws-default-region \u003cAWS_DEFAULT_REGION\u003e \\\n --enable-sso true \\\n --iam-sso-role-arn \"arn:aws:iam::84[..]37:role/aws-reserved/sso.amazonaws.com/us-east-2/AWSReservedSSO_AdministratorAccess_53b82e109c5e2cac\"\n```\n\n## Good to know\n\nThe tool flags automatically synced entries via a custom field `syncedBy` set to `iam-eks-user-mapper`. This way, if you delete users from synced group and / or deactivate SSO sync or group sync, users / roles will be removed automatically.\n\n```\n│ - userarn: arn:aws:iam::843237546537:user/pleco\n│ username: pleco\n│ syncedBy: iam-eks-user-mapper\n│ groups:\n│ - system:masters\n```\n\n## Want to contribute?\n\nThis tool is far from perfect and we will be happy to have people helping making it better.\nYou can either:\n\n- open an issue for bugs / enhancements\n- open a PR linked to an issue\n- pick an issue and submit a PR\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fqovery%2Fiam-eks-user-mapper","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fqovery%2Fiam-eks-user-mapper","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fqovery%2Fiam-eks-user-mapper/lists"}