By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Trying to test result of aws eks get-token

0

I have an EC2 that. uses a Role to access my kubernetes cluster. From my reading I should be able to get a token from the cli and use that to access the kubernetes cluster. To that end I have written this script:

cluster_token64=$(aws eks get-token --cluster-name $cluster_name --query status.token --output text)
cluster_token=$(echo $cluster_token64 | sed 's/k8s-aws-v1.//'| base64 --decode)
echo $cluster_token

This does return the token. But when I try to pass the same token to curl I get an error.

[root@/jenkins/eks]# curl $cluster_token
<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>SignatureDoesNotMatch</Code>
    <Message>The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.</Message>
  </Error>
  <RequestId>47556e04-897c-459a-b3c3-2ae339386640</RequestId>
</ErrorResponse>
  1. Am I getting the token correctly?
  2. Am I using/testing the token correctly (with the curl command)?
Topics
Security, Identity, & ComplianceManagement & GovernanceContainers
Tags
AWS Identity and Access ManagementAWS Command Line InterfaceAmazon Elastic Kubernetes Service
Language
English
Systemgeek
asked a year ago1079 views
2 Answers
1
Accepted Answer

Hello,

You will have to pass the EKS cluster name as a header i.e. --header "x-k8s-aws-id: $cluster_name" in your curl request as shown below:

cluster_name="<cluster name>"
TOKEN=$(aws eks get-token --cluster-name $cluster_name | jq '.status.token' | sed "s/\"//g")
TOKEN_DECODED=$(echo $TOKEN | base64 --decode)
URL=https://sts.amazonaws.com/?Action=GetCallerIdentity${TOKEN_DECODED}
curl --header "x-k8s-aws-id: $cluster_name" $URL

The above commands will output the GetCallerIdentityResult.

If you are trying to run curl commands on the kubernetes API server, you can use the below command:

TOKEN=$(aws eks get-token --cluster-name $cluster_name | jq '.status.token' | sed "s/\"//g")
curl -Ik -XGET -H "Authorization: Bearer $TOKEN" 'https://ABCDEFG.gr7.region-code.eks.amazonaws.com/api/v1/namespaces'

Please let me know if you are able to get successful response while using the above method.

Thank you!

profile pictureAWS
SUPPORT ENGINEER
Venkat Penmetsa
answered a year ago
  • Systemgeek
    a year ago

    How long are the TOKENs good for?

0

Hello,

The error you are seeing occurs when the AWS credentials are mis-configured on your system. You can try running the command aws sts get-caller-identity to see if the AWS credentials are correctly set or not.

Hope this helps!

profile pictureAWS
SUPPORT ENGINEER
Venkat Penmetsa
answered a year ago
  • Systemgeek
    a year ago

    So that results in this: [root@ip-172-24-147-143 ~]# aws sts get-caller-identity { "UserId": "AROAYE5MLXBG5MUX6MP2K:i-0b7400000070fa67b", "Account": "0000000000", "Arn": "arn:aws:sts::0000000000:assumed-role/TTT-DEV-EC2-JenkinsMaster-Instance/i-0b7400000070fa67b" }

    Which is what I expect.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content