How to create an AWS Identity Center Application for ArgoCD
In order to authenticate with ArgoCD, we recommend using an AWS IAM Identity Center SAML Application. These apps can use existing Identity Center groups that we've already setup as part of the Identity layer.
Create AWS Identity Center Applications
-
For each
dev
,staging
, andprod
in theplat
tenant, create an IAM Identity Center Application. -
Use the 'callback' url of
eks/argocd
for both the ACS URL and the SAML Audience fields. For example,https://argocd.use1.dev.plat.acme-svc.com/api/dex/callback
. This should be your service domain. -
Next, update the custom SAML application attributes:
Name Value Type Subject
${user:subject}
persistent
email
${user:email}
unspecified
groups
${user:groups}
unspecified
-
Now assign AWS Identity Center groups to the SAML app. If you ever recreate the groups, you'll need to go back to the SAML application and remove/re-add the group.
-
Record the IDs of each group you assigned. If you've recently updated the groups, you'll likely need to redo this step as group IDs change on any significant updates.
-
Update the config for
eks/argocd
to use the given AWS Identity Center groups groups:components:
terraform:
eks/argocd:
vars:
# Note: the IDs for AWS Identity Center groups will change if you alter/replace them:
argocd_rbac_groups:
- group: deadbeef-dead-beef-dead-beefdeadbeef
role: admin
- group: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
role: reader -
Finally, for each stage run
atmos terraform deploy sso-saml-provider -s plat-use1-{ stage }
If you get any errors using AWS SSO, make sure the Subject
attribute is set to persistent
and connect to the cluster with set-cluster plat-{ region }-{ stage } admin && kubens argocd
and then delete the dex pod to reset it.