search

aws / aws-cli

Universal Command Line Interface for Amazon Web Services
Other
15.15k stars 4.03k forks source link

EKS update-config generating incorrect command #4337

Open ahawkins opened 5 years ago

ahawkins commented 5 years ago

aws eks update-kubeconfig is generating a command with the AW_PROFILE environment variable. This is the incorrect variable to setting profiles via environment variable. It should be AWS_DEFAULT_PROFILE. Editing ~/.kube/config manually fixed my cluster access issue.

Here's the broken sample:

- name: arn:aws:eks:us-east-1:REDACTED:cluster/utility-prod-utility
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --region
      - us-east-1
      - eks
      - get-token
      - --cluster-name
      - utility-prod-utility
      command: aws
      env:
        # NOTE: the environment variable is incorrect below.
        - name: AWS_PROFILE
        value: skillshare-utility

Fixed version:

- name: arn:aws:eks:us-east-1:REDACTED:cluster/utility-prod-utility
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --region
      - us-east-1
      - eks
      - get-token
      - --cluster-name
      - utility-prod-utility
      command: aws
      env:
      - name: AWS_DEFAULT_PROFILE
        value: skillshare-utility

Better fixed version:

- name: arn:aws:eks:us-east-1:289698421666:cluster/utility-prod-utility
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --profile
      - skillshare-utility
      - --region
      - us-east-1
      - eks
      - get-token
      - --cluster-name
      - utility-prod-utility
      command: aws
$ aws --version
aws-cli/1.16.200 Python/3.7.4 Darwin/18.6.0 botocore/1.12.190
tatsuo48 commented 4 years ago

I have a same issue. My Case, Fixed version is not worked. Better fixed version is worked.

$ aws --version
aws-cli/1.16.200 Python/3.7.4 Darwin/17.7.0 botocore/1.12.190
swetashre commented 4 years ago

@ahawkins - Thank you for your post. When i run this command aws eks update-kubeconfig --name test i got this output in my ~/.kube/config file: 

users:
- name: arn:aws:eks:us-west-2:102809180856:cluster/test
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --region
      - us-west-2
      - eks
      - get-token
      - --cluster-name
      - test
      command: aws

I am wondering how you got the previous 2 output. Can you please give me the debug log of the previous 2 output. You can enable the debug log by adding --debug to your command.

ahawkins commented 4 years ago

@swetashre include --profile or try with the AWS_DEFAULT_PROFILE environment variable.

drietmueller commented 4 years ago

Would be great to see this fixed. I have the same use case: accessing a cluster using two different roles (dev and admin). Currently I have to update the kubeconfig manually and rename the users to avoid an override of the user via the second update-kubeconfig call.

k4r1 commented 4 years ago

@swetashre the AWS_PROFILE env is set here https://github.com/aws/aws-cli/blob/develop/awscli/customizations/eks/update_kubeconfig.py#L320

As @ahawkins mentioned, if you invoke the update-kubeconfig command with a profile set, it will be written into the kubeconfig file under the env key.

Another problem with this is that if your local environment has AWS_ACCESS_KEY_ID (or similar set), then they will override the AWS_PROFILE environment variable. Therefore it would be better to pass the profile using the --profile argument in this case as well.