eksctl icon indicating copy to clipboard operation
eksctl copied to clipboard

Published 20 hours ago verified publisher icon eksctl-io

[Bug] EKSCTL_ENABLE_CREDENTIAL_CACHE=1 does not work in 0.165.0

Open koooge opened this issue 1 year ago • 10 comments

Hi there,

What were you trying to accomplish?

EKSCTL_ENABLE_CREDENTIAL_CACHE=1 does not work to cache MFA token in 0.165.0. It worked in 0.160.0.

What happened?

$ eksctl get cluster
Assume Role MFA token code: <code>
Assume Role MFA token code: <code>
Assume Role MFA token code: <code>
Error: failed to list clusters in region "<region>": operation error EKS: ListClusters, get identity: get credentials: failed to refresh cached credentials, failed to refresh cached credentials, operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: <id>, api error AccessDenied: MultiFactorAuthentication failed with invalid MFA one time pass code.

Actually it created the cache file. But the expiration is set at just that point.

$ cat ~/.eksctl/cache/credentials.yaml
profiles:
  <name>:
    credential:
      accesskeyid: <id>
      secretaccesskey: <secret>
      sessiontoken: <token>
      providername: AssumeRoleProvider
    expiration: 2023-12-11T14:07:04Z # <<--- Will expire in the moment

How to reproduce it?

$ eksctl version
0.165.0

$ rm ~/.eksctl/cache/credentials.yaml
$ export EKSCTL_ENABLE_CREDENTIAL_CACHE=1
$ eksctl get cluster
2023-12-11 15:04:23 [!]  cache file /Users/whoami/.eksctl/cache/credentials.yaml does not exist.
2023-12-11 15:04:23 [!]  cache file /Users/whoami/.eksctl/cache/credentials.yaml does not exist.
Assume Role MFA token code:

Logs

Anything else we need to know?

As a workaround, I manually edited the expiration in ~/.eksctl/cache/credentials.yaml to a future datetime and it worked.

Versions

$ eksctl info
eksctl version: 0.165.0
kubectl version: v1.28.4
OS: darwin

koooge avatar Dec 11 '23 14:12 koooge

Hello koooge :wave: Thank you for opening an issue in eksctl project. The team will review the issue and aim to respond within 1-5 business days. Meanwhile, please read about the Contribution and Code of Conduct guidelines here. You can find out more information about eksctl on our website

github-actions[bot] avatar Dec 11 '23 14:12 github-actions[bot]

Hi @koooge - in 0.162.0, eksctl introduced an expiry window for aws credentials of 30 mins - https://github.com/eksctl-io/eksctl/pull/7116 - the motivation behind this being that some CloudFormation operations take long to complete and we don't want temporary credentials to expire during such operations.

Given the error you're facing, I'm guessing your credentials would have expired in less than 30 mins from when you ran the command. Therefore, the sdk tries to refresh the credentials but can't do so using the MFA token as it's no longer valid?

TiberiuGC avatar Dec 12 '23 14:12 TiberiuGC

Hi @TiberiuGC , Yeah. the created expiration is too soon.

$ date
Tue Dec 12 17:23:46 CET 2023
$ rm -f ~/.eksctl/cache/credentials.yaml
$ eksctl get cluster
2023-12-12 17:23:53 [!]  cache file /Users/whoammi/.eksctl/cache/credentials.yaml does not exist.
2023-12-12 17:23:53 [!]  cache file /Users/whoami/.eksctl/cache/credentials.yaml does not exist.
Assume Role MFA token code: <token>
$ cat ~/.eksctl/cache/credentials.yaml
profiles:
...
    expiration: 2023-12-12T16:24:04Z

koooge avatar Dec 12 '23 16:12 koooge

I have a similar issue. I am already logged in and have a valid session token in ~/.aws/credentials. Everytime I use eksctl it complains about the missing ~/.eksctl/cache/credentials but works fine nonetheless without asking me for login data, MFA, nothing. And it doesn't create the credentials cache file either.

marcelocg avatar Dec 13 '23 08:12 marcelocg

Same issue for me in 165/166. Falling back to 160 fixed it.

colinnutrislice avatar Dec 19 '23 06:12 colinnutrislice

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Jan 19 '24 01:01 github-actions[bot]

Let me remove the stale label.

koooge avatar Jan 19 '24 19:01 koooge

I can confirm this issue on 171, and for me even with the cache disabled MFA isn't working. The only way I was able to connect is by modifying the expiration

gaetansnl avatar Feb 12 '24 16:02 gaetansnl

I can confirm the same issue with v0.172.0. It seems that expiration value in ~/.eksctl/cache/credentials.yaml file is always set to the current time, so credentials are being "expired" immediately.

Here in the code it is set to refresh the creds 30 mins before they expire: https://github.com/eksctl-io/eksctl/blob/main/pkg/eks/apiv2.go#L83 And here the session duration is also set to 30 mins: https://github.com/eksctl-io/eksctl/blob/main/pkg/eks/apiv2.go#L72 That means it will be always '0' minutes interval for temporary creds validity.

So either need to increase sessions duration to 1 hour, which is default for assumable role. Or decrease ExpiryWindow property to 15 minutes, having automatic token refresh within 15 minutes.

vutny avatar Feb 27 '24 17:02 vutny

@vutny thanks for the explanation. I think increasing sessions duration makes sense, would you like to open a PR for it?

yuxiang-zhang avatar Feb 27 '24 22:02 yuxiang-zhang

Sounds good, @yuxiang-zhang ! Submitted PR #7626

vutny avatar Feb 29 '24 17:02 vutny

I verified EKSCTL_ENABLE_CREDENTIAL_CACHE worked in 0.173.0. Thank you @vutny !

koooge avatar Mar 01 '24 10:03 koooge