Skip to content

Commit

Permalink
Fix generating presigned URL for K8s authentication
Browse files Browse the repository at this point in the history
With `aws-sdk-go-v2@1.24.1`, API server requests containing URLs presigned by `sts.PresignClient` fail with an `Unauthorized` error.

`aws-sdk-go-v2@1.24.1` adds an extra header `amz-sdk-request` to the generated request, but this header is not allow-listed by `aws-iam-authenticator` server running on the control plane.
This is likely due to [this change](aws/aws-sdk-go-v2#2438) which reorders the middleware operations to execute `RetryMetricsHeader` before `Signing`.

This changelist removes the `RetryMetricsHeader` middleware from the stack when constructing `sts.PresignClient`.
  • Loading branch information
cpu1 committed Jan 19, 2024
1 parent c74edb2 commit ce27549
Showing 1 changed file with 13 additions and 4 deletions.
17 changes: 13 additions & 4 deletions pkg/eks/auth/generator.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,10 @@ import (
"fmt"
"time"

"github.com/aws/aws-sdk-go-v2/aws/retry"
"github.com/aws/aws-sdk-go-v2/service/sts"

"github.com/aws/smithy-go/middleware"
smithyhttp "github.com/aws/smithy-go/transport/http"

api "github.com/weaveworks/eksctl/pkg/apis/eksctl.io/v1alpha5"
Expand Down Expand Up @@ -64,9 +67,15 @@ func (g Generator) GetWithSTS(ctx context.Context, clusterID string) (Token, err

func (g Generator) appendPresignHeaderValuesFunc(clusterID string) func(stsOptions *sts.Options) {
return func(stsOptions *sts.Options) {
// Add clusterId Header
stsOptions.APIOptions = append(stsOptions.APIOptions, smithyhttp.SetHeaderValue(clusterIDHeader, clusterID))
// Add X-Amz-Expires query param
stsOptions.APIOptions = append(stsOptions.APIOptions, smithyhttp.SetHeaderValue("X-Amz-Expires", "60"))
stsOptions.APIOptions = append(stsOptions.APIOptions,
// Add clusterId Header.
smithyhttp.SetHeaderValue(clusterIDHeader, clusterID),
// Add X-Amz-Expires query param.
smithyhttp.SetHeaderValue("X-Amz-Expires", "60"),
// Remove any extraneous headers: https://github.com/eksctl-io/eksctl/issues/7486.
func(stack *middleware.Stack) error {
_, err := stack.Finalize.Remove((&retry.MetricsHeader{}).ID())
return err
})
}
}

0 comments on commit ce27549

Please sign in to comment.