AWS eks auth method failing in 2.6.0

[jalavoy]

Terraform Version, Provider Version and Kubernetes Version

Terraform version: 1.0.9
Kubernetes provider version: 2.6.0
Kubernetes version: 1.21

Affected Resource(s)

Provider Init

Terraform Configuration Files

provider "kubernetes" {
  host                     = module.eks.cluster_endpoint
  cluster_ca_certificate   = base64decode(module.eks.cluster_ca)
  config_context_auth_info = "aws"
  config_context_cluster   = "kubernetes"
  exec {
    api_version = "client.authentication.k8s.io/v1alpha1"
    args        = ["eks", "get-token", "--cluster-name", var.name, "--role", "${var.role_arn[var.environment]}"]
    command     = "aws"
  }
}

Debug Output

I'm not comfortable sharing this publicly since I'm not sure what (if any) sensitive info it has in it. Can provide it privately on request.

Panic Output

╷
│ Error: Provider configuration: cannot load Kubernetes client config
│
│   with provider["registry.terraform.io/hashicorp/kubernetes"],
│   on service_providers.tf line 47, in provider "kubernetes":
│   47: provider "kubernetes" {
│
│ cluster "kubernetes" does not exist

Steps to Reproduce

1. terraform apply

Expected Behavior

Provider initializes correctly. This works with 2.5.0

Actual Behavior

Provider fails to initialize

[jalavoy]

This is still broken as of 2.6.1

[gurps1]

Same issue on my side.

provider "kubernetes" {
  host                   = module.environments_eks.cluster_endpoint
  cluster_ca_certificate = base64decode(module.environments_eks.cluster_ca_certificate)
  config_context         = module.environments_eks.cluster_arn
  exec {
    api_version = "client.authentication.k8s.io/v1alpha1"
    command     = "aws"
    args = [
      "--region",
      var.region,
      "eks",
      "get-token",
      "--cluster-name",
      module.environments_eks.cluster_name
    ]
    env = {
      AWS_PROFILE = var.profile
    }
  }
}

╷
│ Error: Provider configuration: cannot load Kubernetes client config
│ 
│   with provider["registry.terraform.io/hashicorp/kubernetes"],
│   on providers.tf line 47, in provider "kubernetes":
│   47: provider "kubernetes" {
│ 
│ context "arn:aws:eks:xxxxxxx:xxxxxxx:cluster/xxxxxx-xxx-xxxxxxx" does not exist

works fine in 2.5.1 and 2.5.0, fails in 2.6.0 and 2.6.1

[johnmanjiro13]

I ran into this problem but it was fixed with below code.

data "aws_eks_cluster" "default" {
  name = var.cluster_name
}

data "aws_eks_cluster_auth" "default" {
  name = var.cluster_name
}

provider "kubernetes" {
  host                   = data.aws_eks_cluster.default.endpoint
  cluster_ca_certificate = base64decode(data.aws_eks_cluster.default.certificate_authority[0].data)
  token                  = data.aws_eks_cluster_auth.default.token
}

[jalavoy]

We specifically need the exec for our workflow, which is the cause of this problem I believe.

[johnmanjiro13]

Oh! I see.

[jalavoy]

This is still broken in 2.7.1. If I can provide any more information on this please let me know.

[yk-47]

Same issue here, works in 2.5.1, broken from 2.6.0.

[jalavoy]

I believe this is fixed in 2.8.0 with the removal of config_context_auth_info and config_context_cluster

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.