aws-iam-authenticator icon indicating copy to clipboard operation
aws-iam-authenticator copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

feat: add processCredentialTimeout option to token command

Open atishpatel opened this issue 2 months ago • 4 comments

This update introduces a new flag --process-credential-timeout to the token command, allowing users to specify a timeout for the AWS credential_process execution. The timeout value can be set to a positive duration, overriding the SDK's default of 1 minute. The change includes updates to the GetTokenOptions struct and the associated binding in the command initialization.

What this PR does / why we need it:

  • Adds an optional --process-credential-timeout flag to the token command to control the AWS credential_process timeout.
  • Plumbs the flag through GetTokenOptions.ProcessCredentialTimeout and applies it via config.WithProcessCredentialOptions to set processcreds.Options.Timeout.
  • Default behavior is unchanged: if the flag is omitted or set to 0, the SDK’s default (1 minute) is used.
  • Needed for environments where dual-control approval flows routinely exceed 60s; reduces spurious “credential process timed out” failures.

Implementation highlights:

  • pkg/token/token.go: added ProcessCredentialTimeout time.Duration to GetTokenOptions; set timeout in LoadDefaultConfig when > 0.
  • cmd/aws-iam-authenticator/token.go: added --process-credential-timeout flag (Duration), bound with viper, and passed to GetTokenOptions.
  • No server-side changes; purely client-side and backward-compatible.

Testing:

  • I verified no timeout at 60s with flag.
  • Omit the flag to confirm behavior remains unchanged.

Testing Proof Without Flag

❯ WS_PROFILE=xyz--cluster-admin ./_output/bin/aws-iam-authenticator_v0.7.8_darwin_arm64 token --cluster-id prod-green --cache --log-verbosity error
This AWS role has dual-control enabled. To continue, please have someone approve your AWS access request before it expires:

https://.../v1/...?defer=yes

State      Expires in   Refresh in
pending    29m1s        2s          
could not get token: operation error STS: GetCallerIdentity, get identity: get credentials: failed to refresh cached credentials, process provider error: credential process timed out: signal: killed

With Flag

❯ AWS_PROFILE=xyz--cluster-admin ./_output/bin/aws-iam-authenticator_v0.7.8_darwin_arm64 token --cluster-id prod-green --cache --log-verbosity error --process-credential-timeout="5m"
This AWS role has dual-control enabled. To continue, please have someone approve your AWS access request before it expires:

https://.../v1/...?defer=yes

State      Expires in   Refresh in
pending    27m56s       3s
// does not exit after 1 minute

Release note:

  • Add --process-credential-timeout to aws-iam-authenticator token to override the default 1-minute AWS credential_process timeout.

atishpatel avatar Oct 07 '25 20:10 atishpatel