--cache flag not working

[saidmasoud]

I am trying to use the functionality introduced in this PR (thanks @llamahunter!!!), however I am receiving the following error. Do we need to add configuration to the ~/.aws/credentials file to enable credential caching?

Cache file /Users/said/.kube/cache/aws-iam-authenticator/credentials.yaml does not exist.
No cached credential available.  Refreshing...
Unable to cache credential: ProviderNotExpirer: provider SharedConfigCredentials: /Users/said/.aws/credentials does not support ExpiresAt()

[llamahunter]

So, there are a few things being printed out here. The first two are informational:

Cache file /Users/said/.kube/cache/aws-iam-authenticator/credentials.yaml does not exist.

Is just letting you know that it couldn't find an existing credential cache file. If you expected that you had a cache already, this is letting you know something weird has happened. If this is the first time you run with caching, this is normal.

No cached credential available. Refreshing...

This is letting you know that, regardless of whether there was a credentials cache, no matching credential was found in the cache, and so it's refreshing from the credential provider.

Unable to cache credential: ProviderNotExpirer: provider SharedConfigCredentials: /Users/said/.aws/credentials does not support ExpiresAt()

This is the actual error in your case. You do not have a credential_process configured for your current AWS profile. Perhaps you have permanent credentials in ~/.aws/credentials that don't expire? If that's the case, you don't need caching.

[saidmasoud]

Ahh I see. I think I'm looking for the wrong thing. What I'm interested in is caching the STS token that's returned by AWS.

[llamahunter]

Ah, yeah, the token cache is a different thing. I think people are working on that, too. This is for the SSO credential cache. It’s painfully slow otherwise.

[llamahunter]

Also, afaik, the aws token is kind of hard coded to have a 10 minute expiration. So, regardless, you will never be able to cache it longer than that.

Credential expiration can be configured up to 12 hours, I believe.

[saidmasoud]

Thinking about my issue a bit more, I believe the problem may be on the server side. When calling the aws-iam-authenticator command directly, the response from AWS is pretty quick. However, kubectl commands take a few seconds to complete when using aws-iam-authenticator as opposed to using the config generated by kops, for example. So not sure if the master instance is being throttled on the AWS side or something?

[llamahunter]

aws-iam-authenticator has two parts. One is fetching the credentials, which now can be cached, and another is fetching a token, which is still not cached, AFAIK.

Possibly the —cache flag should be —cache-credentials to be more clear. If you change your kube config to have a hard coded token or similar, you would not be fetching a token anymore.

[tonglil]

I encountered when the Expiration key is missing from the JSON output (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html), the authenticator will not cache the credentials.