Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws eks get-token regresses providing token expiration #4182

Closed
tbarrella opened this issue May 22, 2019 · 11 comments
Closed

aws eks get-token regresses providing token expiration #4182

tbarrella opened this issue May 22, 2019 · 11 comments
Assignees
@justnance
Labels
enhancement pending-release This issue will be fixed by an approved PR that hasn't been released yet.

Comments

@tbarrella
Copy link

With

aws-iam-authenticator token -i <cluster>

the output includes an "expirationTimestamp" key in the token "status", but with

aws eks get-token --cluster-name <cluster>

that field is missing. As a result, aws-cli >1.16.154 undoes kubernetes-sigs/aws-iam-authenticator#160, which is necessary to prevent issues when using files from update-kubeconfig with Go clients for >15 minutes. Would it be hard to restore "expirationTimestamp"?
@sgundapu
Copy link
Contributor

@tbarrella is this what you are seeing?
kubernetes-sigs/aws-iam-authenticator#133 (comment)

Is your application failing because of client-go is caching the token?
It makes sense for us to add the expirationTimestamp along with the token, since client side code is using that to refresh the token. I will look into adding that back.

@tbarrella
Copy link
Author

Yeah, with the same application I'd also observed what that comment describes using aws-iam-authenticator until switching from v0.3.0 to v0.4.0. Thank you!

@justnance
Copy link

@tbarrella and @sgundapu - Thank you for posting this issue. It appears the CLI does not have control over the resolution of this issue and it is being addressed under issue #133 under the kubernetes-sigs/aws-iam-authenticator repo.

@justnance justnance self-assigned this May 30, 2019
@justnance justnance added the guidance Question that needs advice or information. label May 30, 2019
@tbarrella
Copy link
Author

tbarrella commented May 31, 2019
edited
Loading

Sorry, I'm confused because issue 133 had already been closed and was addressed (with the fix released in aws-iam-authenticator v0.4.0) before aws-cli 1.16.155 was released. To maybe clarify or restate, another way to put the issue is that

aws eks update-kubeconfig

provides a kubeconfig with an exec command that no longer provides an expiration timestamp with its tokens as it did before 1.16.155. Since 133 is already closed, is there another open issue for fixing this behavior of awscli?

@justnance justnance reopened this May 31, 2019
@justnance justnance added investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed guidance Question that needs advice or information. labels May 31, 2019
@sgundapu
Copy link
Contributor

@justnance there is some work on our end in the CLI to add "expirationTimestamp", I will close the issue once that is pushed out into the CLI and verified.

This was referenced Jun 4, 2019
Closed
Merged
@justnance justnance added enhancement and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Jun 8, 2019
@justnance
Copy link

@tbarrella - We are still working on getting this resolved. Thanks for your patience.

@justnance
Copy link

Related PR #4141 has been merged but pending release.

@justnance justnance added the pending-release This issue will be fixed by an approved PR that hasn't been released yet. label Jun 27, 2019
@sgundapu
Copy link
Contributor

sgundapu commented Jul 2, 2019

@tbarrella fix has been deployed. You will see the expiration timestamp once you start using the updated aws-cli. Thanks!

@tbarrella
Copy link
Author

Cool, we see it working in 1.16.191! Thank you for releasing this! Will close this

@danyalg
Copy link

danyalg commented Aug 20, 2019

Hey, aws eks get-token --cluster-name => I still received expired token (2 hours behind my timezone ) , I am using latest aws cli and configure according aws documentation any idea?

@japzio
Copy link

japzio commented Jan 29, 2021

also observed that aws eks get-token --cluster-name still generates token even if local credentials(access/secret keys) has already been expired, and as expected that the token is invalid when logging in to k8s dashboard. not a major issue seem to be confusing sometimes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@justnance justnance

Labels
enhancement pending-release This issue will be fixed by an approved PR that hasn't been released yet.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@sgundapu @japzio @tbarrella @justnance @danyalg