Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Trying to test result of aws eks get-token

0

I have an EC2 that. uses a Role to access my kubernetes cluster. From my reading I should be able to get a token from the cli and use that to access the kubernetes cluster. To that end I have written this script:

cluster_token64=$(aws eks get-token --cluster-name $cluster_name --query status.token --output text)
cluster_token=$(echo $cluster_token64 | sed 's/k8s-aws-v1.//'| base64 --decode)
echo $cluster_token

This does return the token. But when I try to pass the same token to curl I get an error.

[root@/jenkins/eks]# curl $cluster_token
<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>SignatureDoesNotMatch</Code>
    <Message>The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.</Message>
  </Error>
  <RequestId>47556e04-897c-459a-b3c3-2ae339386640</RequestId>
</ErrorResponse>
  1. Am I getting the token correctly?
  2. Am I using/testing the token correctly (with the curl command)?
Themen
Sicherheit, Identität & KonformitätManagement & UnternehmensführungBehälter
Tags
AWS Identity and Access ManagementAWS BefehlszeilenschnittstelleAmazon Elastic Kubernetes Dienst
Sprache
English
Systemgeek
gefragt vor einem Jahr1111 Aufrufe
2 Antworten
1
Akzeptierte Antwort

Hello,

You will have to pass the EKS cluster name as a header i.e. --header "x-k8s-aws-id: $cluster_name" in your curl request as shown below:

cluster_name="<cluster name>"
TOKEN=$(aws eks get-token --cluster-name $cluster_name | jq '.status.token' | sed "s/\"//g")
TOKEN_DECODED=$(echo $TOKEN | base64 --decode)
URL=https://sts.amazonaws.com/?Action=GetCallerIdentity${TOKEN_DECODED}
curl --header "x-k8s-aws-id: $cluster_name" $URL

The above commands will output the GetCallerIdentityResult.

If you are trying to run curl commands on the kubernetes API server, you can use the below command:

TOKEN=$(aws eks get-token --cluster-name $cluster_name | jq '.status.token' | sed "s/\"//g")
curl -Ik -XGET -H "Authorization: Bearer $TOKEN" 'https://ABCDEFG.gr7.region-code.eks.amazonaws.com/api/v1/namespaces'

Please let me know if you are able to get successful response while using the above method.

Thank you!

profile pictureAWS
SUPPORT-TECHNIKER
Venkat Penmetsa
beantwortet vor einem Jahr
  • Systemgeek
    vor einem Jahr

    How long are the TOKENs good for?

0

Hello,

The error you are seeing occurs when the AWS credentials are mis-configured on your system. You can try running the command aws sts get-caller-identity to see if the AWS credentials are correctly set or not.

Hope this helps!

profile pictureAWS
SUPPORT-TECHNIKER
Venkat Penmetsa
beantwortet vor einem Jahr
  • Systemgeek
    vor einem Jahr

    So that results in this: [root@ip-172-24-147-143 ~]# aws sts get-caller-identity { "UserId": "AROAYE5MLXBG5MUX6MP2K:i-0b7400000070fa67b", "Account": "0000000000", "Arn": "arn:aws:sts::0000000000:assumed-role/TTT-DEV-EC2-JenkinsMaster-Instance/i-0b7400000070fa67b" }

    Which is what I expect.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt