Use "aws eks get-token" instead of "aws-iam-authenticator"

[via-jordan-sokolic]

Use aws eks get-token instead of aws-iam-authenticator

Since AWS CLI version 1.16.156, aws-iam-authenticator is no longer needed to obtain an auth token for the EKS cluster. This can be performed using awscli directly with aws eks get-token. (reference)

I propose changing the default value of kubeconfig_aws_authenticator_command and kubeconfig_aws_authenticator_command_args to:

  kubeconfig_aws_authenticator_command = "aws"
  kubeconfig_aws_authenticator_command_args = [
    "--region", 
    data.aws_region.this.name,
    "eks",
    "get-token",
    "--cluster-name",
    local.cluster_name
  ]
}

I'm submitting a...

• bug report
• feature request
• support request - read the FAQ first!
• kudos, thank you, warm fuzzy

What is the current behavior?

External dependency on aws-iam-authenticator tool causes terraform apply to fail when not installed.
This dependency is not clearly indicated in the readme.

If this is a bug, how to reproduce? Please include a code sample if relevant.

Using this module without having installed aws-iam-authenticator will throw an error while provisioning the cluster.

What's the expected behavior?

No external dependency on aws-iam-authenticator.

Are you able to fix this problem and submit a PR? Link here if you have already.

Yes

Environment details

• Affected module version: v10.0.0
• OS: Mac OS Catalina 10.15.4
• Terraform version: v0.12.26

Any other relevant info

I'm not sure which tool is more common for this purpose, but our team uses awscli whenever possible. Since this functionality is now present in awscli >= 1.16.156 (we are using v2.0.19), it might be worthwhile to use it instead of aws-iam-authenticator.

In any case, whether depending on awscli or aws-iam-authenticator, it might be a good idea to clearly indicate external dependencies in the module readme.

[ghostsquad]

what error is thrown?

[bazzargh]

The error that is thrown:

→ kubectl get nodes                                                                                                                                                                                        
Unable to connect to the server: getting credentials: exec: executable aws-iam-authenticator not found
It looks like you are trying to use a client-go credential plugin that is not installed.
To learn more about this feature, consult the documentation available at:
      https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins

You'll get an error executing commands with the generated kubeconfig, that encourage you to download aws-iam-authenticator. However, with any aws-cli from the last year and a half, this additional tool is unnecessary, aws eks get-token does what's needed.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale]

This issue has been automatically closed because it has not had recent activity since being marked as stale.

[ypicard]

Any news on this?

[julianbueno]

How you can re-open this issue?

[xM8WVqaG]

If it helps promote this issue, I've been using the example implementation from the OP (with a very minor change to region for our usecase) for about 10 months and it's working perfectly for us. None of us have aws-iam-authenticator installed.

  kubeconfig_aws_authenticator_command = "aws"

  kubeconfig_aws_authenticator_command_args = [
    "--region",
    var.region,
    "eks",
    "get-token",
    "--cluster-name",
    local.kubernetes_cluster
  ]

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.