By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

unable to create eks cluster using REST API

0

I need to create a eks cluster using REST API/ansible but ansible community.aws.aws_eks_cluster dosen't have kubernetesNetworkConfig parameter where we can specify serviceIpv4Cidr while creating cluster.

I used the below link to create a cluster but unable to pass the authorization credentials in the POST rest api request, https://docs.aws.amazon.com/eks/latest/APIReference/API_CreateCluster.html uri: url: "https://eks.us-east-1.amazonaws.com/clusters"

Have the below auth params aws_access_key: "{{ aws_access_key1 }}" aws_secret_key: "{{ aws_secret_key1 }}" X-Amz-Security-Token: "{{ security_token1 }}"

Need to use it using the URI ansible module ( need to use in headers: in url for authentication) Have to pass something like below: headers: Authorization: Bearer "{{a}}"

Failing with Unable to determine service/operation name to be authorized AccessDeniedException,

Topics
ContainersAWS Well-Architected Framework
Tags
Amazon Elastic Kubernetes ServiceSecurity
Language
English
rePost-User-0286276
asked 2 years ago556 views
1 Answer
1
Accepted Answer

Hello,

When you make API requests to AWS, you have to sign the requests so that AWS can identify who sent them. You will have to sign the requests with your AWS access key (consists of the Access Key ID and Secret Access Key).

Signature Version 4 (SigV4) is the process to add authentication information to AWS API requests sent by HTTP(s). Please refer this document for more information on SigV4.

Please refer Signing AWS requests with Signature Version 4 documentation to understand how to sign your AWS requests with SigV4.

Once the signing process is complete, you'll need to pass your signature in the Authorization header when making the POST /clusters request.

Please take a look at this sample python code provided in the AWS documentation that explains how to make a POST request to the DynamoDB API using the above mentioned sigV4 signing.

It is recommended to use AWS SDKs for performing API requests to AWS services as they handle the signature calculation process for you, so you do not have to manually complete the signing process.

I understand that achieving the above steps through Ansible code is a challenging task. Therefore, I have suggested an alternate approach below.

Alternate approach:

The eksctl (official CLI for Amazon EKS) can be leveraged in your use-case to perform the cluster creation without the need for the REST API approach.

You can create a jinja2 template for the eksctl cluster configuration file and run eksctl create cluster -f cluster.yaml command using the Ansible command module to create your cluster.

I hope this helps!

profile pictureAWS
SUPPORT ENGINEER
Venkat Penmetsa
answered 2 years ago
profile pictureAWS
EXPERT
Toni_S
reviewed 2 years ago
  • Toni_S EXPERT
    2 years ago

    Terraform also has an extensive support for EKS.

  • rePost-User-0286276
    2 years ago

    Hi @Venkat Penmetsa, Thanks for responding back,i would like to know if we can send a request to aws api services like below to GET/POST request in the below format (curl,

    GET /resource HTTP/1.1 Host: server.example.com Authorization: Bearer mF_9.B5f-4.1JqM

    Example GET: curl -H "$(oauth2l header --json /data/xxxx.json cloud-platform userinfo.email)" -H "Content-Type: application/json" "https://compute.googleapis.com/compute/v1/projects/xxxx/regions/us-central1/routers"

    Could you provide a curl request to aws services (for example to get the list of clusters), is AWS API requests unfortunately not straight forward to implement in curl? and mandatory to use the AWS SDKs for performing API requests to AWS services and use SigV4?

  • Venkat Penmetsa SUPPORT ENGINEER
    2 years ago

    Although it is possible to make requests to AWS services without using SDKs, it is difficult to achieve AWS SigV4 authentication with shell commands alone.

    You can write a custom ansible module that can perform the request signing process. Check out this code (https://github.com/ansible-collections/amazon.aws/blob/main/plugins/module_utils/urls.py) to understand how ansible aws modules perform the SigV4 signing to make API requests to AWS.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content