From ce275491410476a72dce17a58ce2b805f5eaad94 Mon Sep 17 00:00:00 2001 From: cpu1 Date: Fri, 19 Jan 2024 17:59:49 +0530 Subject: [PATCH] Fix generating presigned URL for K8s authentication With `aws-sdk-go-v2@1.24.1`, API server requests containing URLs presigned by `sts.PresignClient` fail with an `Unauthorized` error. `aws-sdk-go-v2@1.24.1` adds an extra header `amz-sdk-request` to the generated request, but this header is not allow-listed by `aws-iam-authenticator` server running on the control plane. This is likely due to [this change](https://github.com/aws/aws-sdk-go-v2/pull/2438) which reorders the middleware operations to execute `RetryMetricsHeader` before `Signing`. This changelist removes the `RetryMetricsHeader` middleware from the stack when constructing `sts.PresignClient`. --- pkg/eks/auth/generator.go | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/pkg/eks/auth/generator.go b/pkg/eks/auth/generator.go index 8c7edc8d99..3264e18fec 100644 --- a/pkg/eks/auth/generator.go +++ b/pkg/eks/auth/generator.go @@ -6,7 +6,10 @@ import ( "fmt" "time" + "github.com/aws/aws-sdk-go-v2/aws/retry" "github.com/aws/aws-sdk-go-v2/service/sts" + + "github.com/aws/smithy-go/middleware" smithyhttp "github.com/aws/smithy-go/transport/http" api "github.com/weaveworks/eksctl/pkg/apis/eksctl.io/v1alpha5" @@ -64,9 +67,15 @@ func (g Generator) GetWithSTS(ctx context.Context, clusterID string) (Token, err func (g Generator) appendPresignHeaderValuesFunc(clusterID string) func(stsOptions *sts.Options) { return func(stsOptions *sts.Options) { - // Add clusterId Header - stsOptions.APIOptions = append(stsOptions.APIOptions, smithyhttp.SetHeaderValue(clusterIDHeader, clusterID)) - // Add X-Amz-Expires query param - stsOptions.APIOptions = append(stsOptions.APIOptions, smithyhttp.SetHeaderValue("X-Amz-Expires", "60")) + stsOptions.APIOptions = append(stsOptions.APIOptions, + // Add clusterId Header. + smithyhttp.SetHeaderValue(clusterIDHeader, clusterID), + // Add X-Amz-Expires query param. + smithyhttp.SetHeaderValue("X-Amz-Expires", "60"), + // Remove any extraneous headers: https://github.com/eksctl-io/eksctl/issues/7486. + func(stack *middleware.Stack) error { + _, err := stack.Finalize.Remove((&retry.MetricsHeader{}).ID()) + return err + }) } }