CODEWITHSUNDEEP
kubectlamazon-eksaws-iam-authenticator
user5047085
user5047085

Reputation:

Passing EKS token to other kubectl cli commands

Say I get an EKS token using:

aws eks get-token --region us-west-2 --cluster-name eks1

the result looks like:

{"status": {"token": "k8s-aws-v1.aHR0.....Ni"}, "kind": "ExecCredential", "apiVersion": "client.authentication.k8s.io/v1alpha1", "spec": {}}

how can I pass the token to other cli commands? something like:

kubectl get svc --token="$token-from-above"

without the token, I keep getting this error:

error: You must be logged in to the server (Unauthorized)

but my AWS creds are present, which is why I can get the token. I assume it's the same token as generated by aws-iam-authenticator token -i eks1

I tried running this:

export AWS_SESSION_TOKEN="$token-from-above"
kubectl get svc

that did not work either, same error.

Upvotes: 10

Views: 9659

Answers (3)

Shay
Shay

Reputation: 1

First query the token and then pass it to all following kubectl commands:

TOKEN=$(aws eks get-token --cluster-name=<cluster name> | jq '.status.token' | sed "s/\"//g")

kubectl --token=$TOKEN get pods

Upvotes: 0

bilby91
bilby91

Reputation: 904

Make sure that you don't have any of this env variables configured:

unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY

Most (if not all) of the aws tools will honor those configurations over anything else. I've been fooled by this when trying to use AWS_PROFILE for example.

Upvotes: 4

Chris Hein
Chris Hein

Reputation: 61

@MrCholo, have you made sure to configure your KUBECONFIG to use the exec credential flow? With EKS and/or the authenticator you don't need to generate the token and then inject it into each request kubectl has a way of exec'ing the binary for you. We've baked all this into the update-kubeconfig cli command which you can see https://docs.aws.amazon.com/eks/latest/userguide/getting-started-console.html#eks-configure-kubectl

But what it will look like is something like this:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: XXX
    server: XXX
  name: XXX
contexts:
- context:
    cluster: XXX
    user: XXX
  name: XXX
current-context: XXX
kind: Config
preferences: {}
users:
- name: XXX
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - eks
      - get-token
      - --region us-west-2 
      - --cluster-name eks1
      command: aws
      env: null

You'll need to make sure you have at least the 1.10+ kubectl client version which you can check by using kubectl version --client --short.

Other things to note, this token isn't an AWS IAM token, it's a generated and signed URL which the API server uses to validate who the user is. The underlaying request is actually aws sts get-caller-identity but we don't complete the request, we mearly sign the URL then base64 encode it and encapsulate it in JSON to submit to the api server. Once it gets passed into the api server the token is sent to the authenticator web server in the control plane which decodes then "completes" the STS call to return who you are which it then uses to validate if you are in the white list of users.

Hopefully that helps.

Upvotes: 3

Related Questions