aws
[EKS] [request]: Support getting EKS token without AWS CLI
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Tell us about your request
Currently the only ways to get a token to authenticate with the Kube API server is to either run aws eks update-kubeconfig or aws eks get-token. I am requesting that the latter be turned into a standard AWS EKS API operation that can be called through any AWS SDK.
Which service(s) is this request for? EKS
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? I don't like having the AWS CLI in the critical path of EKS automation I'm writing. We've been burned too often with writing a project that we think is self-contained with no dependencies but actually implicitly depends on the AWS CLI. Additionally, the AWS CLI isn't that fast (which is fine for a CLI, but is annoying for automation that we write).
Are you currently working around this issue?
Just using aws eks get-token
Additional context
I'm somewhat surprised that get-token isn't already an API method, it feels like it should be.
Looks like there are workaround but they're ridiculous https://github.com/aws/aws-sdk-js-v3/issues/2331
(extra ridiculous because the JS SDK doesn't have a way to generate a presigned URL)
Before getting into a solution, I'd like to better understand what the issues are that you're facing.
I don't like having the AWS CLI in the critical path of EKS automation I'm writing. We've been burned too often with writing a project that we think is self-contained with no dependencies but actually implicitly depends on the AWS CLI.
Is this an issue of dependency management? If that is the case, you can use AWS-IAM-Authenticator which is a static binary. What environment is this complicated for? Containers? Developer workstations?
Additionally, the AWS CLI isn't that fast (which is fine for a CLI, but is annoying for automation that we write).
The current get-token call is just pre-signing a STS GetCalletIdentity URL in memory and not making any network calls, so that would be markedly faster than a networked call to get a token. The speed issue you're likely facing is twofold:
- Python gets executed every kubectl invocation
- short-lived Kubernetes clients like Kubectl don't cache the received token between invocations, even though the returned token is valid for 15min.
The latter issue could be solved pretty easily client-side with a small shell script that saves a returned token to disk and reuses it if it is still valid. (You could probably paste the sanitized JSON output of get-token into Claude/ChatGPT and get a script to this pretty easily.) That will likely be faster than an external API call. Of course you'll need to properly secure where such a cached token is stored and who can invoke that script.
I'm somewhat surprised that get-token isn't already an API method, it feels like it should be.
Do you need programmatic access to get a token? The Kubernetes SDKs automatically read a KUBECONFIG and exec your program (AWS CLI or authentication binary) to get a token. How would an EKS API help your issue here?
@micahhausler we have a use case where we need to authenticate with EKS in an automation environment and requiring the AWS CLI to be installed isn't ideal, we'd much rather have a lightweight binary. I could create a binary using the Go SDK, but then I have to maintain it, the whole point of EKS is that it's a service managed by AWS and it feels like this is a missing feature.
As an example I just googled and found jscaltreto/eks-auth.
@stevehipwell you can use kubernetes-sigs/aws-iam-authenticator, that's exactly what you're asking for.
@micahhausler I was under the impression that had been deprecated in favour of the AWS CLI. Looking at the repo that seems incorrect, but I remember switching away from it after some comms. I think you're right that it is what I'm looking for.