Skip to content

Commit

Permalink
Fix generating presigned URL for K8s authentication
Browse files Browse the repository at this point in the history
With `aws-sdk-go-v2@1.24.1`, API server requests containing URLs presigned by `sts.PresignClient` fail with an `Unauthorized` error.

`aws-sdk-go-v2@1.24.1` adds an extra header `amz-sdk-request` to the generated request, but this header is not allow-listed by `aws-iam-authenticator` server running on the control plane.
This is likely due to [this change](aws/aws-sdk-go-v2#2438) which reorders the middleware operations to execute `RetryMetricsHeader` before `Signing`.

This changelist removes the `RetryMetricsHeader` middleware from the stack when constructing `sts.PresignClient`.
  • Loading branch information
cpu1 committed Jan 19, 2024
1 parent c74edb2 commit 6094031
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions pkg/eks/auth/generator.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,10 @@ import (
"fmt"
"time"

"github.com/aws/aws-sdk-go-v2/aws/retry"
"github.com/aws/aws-sdk-go-v2/service/sts"

"github.com/aws/smithy-go/middleware"
smithyhttp "github.com/aws/smithy-go/transport/http"

api "github.com/weaveworks/eksctl/pkg/apis/eksctl.io/v1alpha5"
Expand Down Expand Up @@ -68,5 +71,9 @@ func (g Generator) appendPresignHeaderValuesFunc(clusterID string) func(stsOptio
stsOptions.APIOptions = append(stsOptions.APIOptions, smithyhttp.SetHeaderValue(clusterIDHeader, clusterID))
// Add X-Amz-Expires query param
stsOptions.APIOptions = append(stsOptions.APIOptions, smithyhttp.SetHeaderValue("X-Amz-Expires", "60"))
stsOptions.APIOptions = append(stsOptions.APIOptions, func(stack *middleware.Stack) error {
_, err := stack.Finalize.Remove((&retry.MetricsHeader{}).ID())
return err
})
}
}

0 comments on commit 6094031

Please sign in to comment.