Hello,

I'm using AWS SSO to manage roles and permissions in several AWS accounts. Consequently, my roles are autoprovisioned in each AWS account by AWS SSO and their names look like AWSReservedSSO_SomeRole_e11aa594f712e1dc.

What would be the best way to manage this with aws-iam-authenticator? The current solution seems to force to specify the full role name, so the configuration looks like:

data:
  mapRoles: |
   groups:
        - system:masters
        rolearn: arn:aws:iam::xxx:role/AWSReservedSSO_SomeRole_e11aa594f712e1dc
        username: kubernetes-admin:{{SessionName}}

The issue is that the name of the role changes in each AWS account, so it makes things quite hard for automation. Do you have any guideline to suggest in this context?

AWS SSO is becoming more and more prevalent so I expect it should be a quite widely encountered issue

Thank you!