Trying to test result of aws eks get-token


I have an EC2 that. uses a Role to access my kubernetes cluster. From my reading I should be able to get a token from the cli and use that to access the kubernetes cluster. To that end I have written this script:

cluster_token64=$(aws eks get-token --cluster-name $cluster_name --query status.token --output text)
cluster_token=$(echo $cluster_token64 | sed 's/k8s-aws-v1.//'| base64 --decode)
echo $cluster_token

This does return the token. But when I try to pass the same token to curl I get an error.

[root@/jenkins/eks]# curl $cluster_token
<ErrorResponse xmlns="">
    <Message>The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.</Message>
  1. Am I getting the token correctly?
  2. Am I using/testing the token correctly (with the curl command)?
2 Answers
Accepted Answer


You will have to pass the EKS cluster name as a header i.e. --header "x-k8s-aws-id: $cluster_name" in your curl request as shown below:

cluster_name="<cluster name>"
TOKEN=$(aws eks get-token --cluster-name $cluster_name | jq '.status.token' | sed "s/\"//g")
TOKEN_DECODED=$(echo $TOKEN | base64 --decode)
curl --header "x-k8s-aws-id: $cluster_name" $URL

The above commands will output the GetCallerIdentityResult.

If you are trying to run curl commands on the kubernetes API server, you can use the below command:

TOKEN=$(aws eks get-token --cluster-name $cluster_name | jq '.status.token' | sed "s/\"//g")
curl -Ik -XGET -H "Authorization: Bearer $TOKEN" ''

Please let me know if you are able to get successful response while using the above method.

Thank you!

profile pictureAWS
answered a year ago
  • How long are the TOKENs good for?



The error you are seeing occurs when the AWS credentials are mis-configured on your system. You can try running the command aws sts get-caller-identity to see if the AWS credentials are correctly set or not.

Hope this helps!

profile pictureAWS
answered a year ago
  • So that results in this: [root@ip-172-24-147-143 ~]# aws sts get-caller-identity { "UserId": "AROAYE5MLXBG5MUX6MP2K:i-0b7400000070fa67b", "Account": "0000000000", "Arn": "arn:aws:sts::0000000000:assumed-role/TTT-DEV-EC2-JenkinsMaster-Instance/i-0b7400000070fa67b" }

    Which is what I expect.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions